Executive Summary
| Summary | |
|---|---|
| Title | Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (2296199) |
| Informations | |||
|---|---|---|---|
| Name | MS10-091 | First vendor Publication | 2010-12-14 |
| Vendor | Microsoft | Last vendor Modification | 2010-12-14 |
| Severity (Vendor) | Critical | Revision | 1.0 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 9.3 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Revision Note: V1.0 (December 14, 2010): Bulletin published.Summary: This security update resolves several privately reported vulnerabilities in the Windows Open Type Font (OTF) driver that could allow remote code execution. An attacker could host a specially crafted OpenType font on a network share. The affected control path is then triggered when the user navigates to the share in Windows Explorer, allowing the specially crafted font to take complete control over an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
Original Source
| Url : http://www.microsoft.com/technet/security/bulletin/MS10-091.mspx |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 67 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
| 33 % | CWE-399 | Resource Management Errors |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:12280 | |||
| Oval ID: | oval:org.mitre.oval:def:12280 | ||
| Title: | OpenType CMAP Table Vulnerability | ||
| Description: | The OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a crafted CMAP table in an OpenType font, aka "OpenType CMAP Table Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2010-3959 | Version: | 6 |
| Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 7 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:12329 | |||
| Oval ID: | oval:org.mitre.oval:def:12329 | ||
| Title: | OpenType Font Double Free Vulnerability | ||
| Description: | Double free vulnerability in the OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a crafted OpenType font, aka "OpenType Font Double Free Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2010-3957 | Version: | 6 |
| Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 7 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:12357 | |||
| Oval ID: | oval:org.mitre.oval:def:12357 | ||
| Title: | OpenType Font Index Vulnerability | ||
| Description: | The OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly perform array indexing, which allows local users to gain privileges via a crafted OpenType font, aka "OpenType Font Index Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2010-3956 | Version: | 6 |
| Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 7 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2010-12-15 | Name : Microsoft Windows OpenType Compact Font Format Driver Privilege Escalation Vu... File : nvt/secpod_ms10-091.nasl |
| 2010-12-15 | Name : Routing and Remote Access Privilege Escalation Vulnerability (2440591) File : nvt/secpod_ms10-099.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 69822 | Microsoft Windows OpenType Font Driver CMAP Table Parsing Arbitrary Code Exec... A memory corruption flaw exists in Microsoft Windows. The OpenType Font (OTF) driver fails to sanitize user-supplied input when parsing the CMAP table of an OpenType font, resulting in memory corruption. With a specially crafted OpenType font, a context-dependent attacker can execute arbitrary code. |
| 69821 | Microsoft Windows OpenType Font Driver Pointer Handling Double-free Arbitrary... A memory corruption flaw exists in Microsoft Windows. The OpenType Font (OTF) driver fails to properly reset a pointer when freeing memory, causing a double-free error, resulting in memory corruption. With a specially crafted OpenType font, a context-dependent attacker can execute arbitrary code. |
| 69820 | Microsoft Windows OpenType Font Driver Index Array Unspecified Code Execution Microsoft Windows contains an array indexation flaw related to the OpenType Font driver. The issue is triggered when a context-dependent attacker uses a specially crafted OpenType font to corrupt memory. This may allow the execution of arbitrary code. |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2019-09-05 | Microsoft OpenType font index remote code execution attempt RuleID : 50889 - Revision : 1 - Type : FILE-OTHER |
| 2019-09-05 | Microsoft OpenType font index remote code execution attempt RuleID : 50888 - Revision : 1 - Type : FILE-OTHER |
| 2014-01-10 | Microsoft Windows ATMFD font driver remote code execution attempt RuleID : 19119 - Revision : 11 - Type : OS-WINDOWS |
| 2014-01-10 | Microsoft OpenType font index remote code execution attempt RuleID : 19064 - Revision : 15 - Type : FILE-OTHER |
| 2014-01-10 | Microsoft Office Publisher Adobe Font Driver code execution attempt RuleID : 18233 - Revision : 16 - Type : FILE-OFFICE |
| 2014-01-10 | Microsoft Windows ATMFD font driver malformed character glyph remote code exe... RuleID : 18220 - Revision : 10 - Type : OS-WINDOWS |
| 2014-01-10 | Microsoft Windows ATMFD font driver remote code execution attempt RuleID : 18219 - Revision : 16 - Type : FILE-OTHER |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-12-15 | Name : The remote Windows host contains a font driver that allows arbitrary code exe... File : smb_nt_ms10-091.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:46:46 |
|
| 2014-01-19 21:30:33 |
|
