ID CVE-2011-3402
Summary Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."
References
Vulnerable Configurations
  • Microsoft Windows 7 64-bit Service Pack 1 (initial release)
    cpe:2.3:o:microsoft:windows_7:-:sp1:x64
  • Microsoft Windows 7 x86 Service Pack 1
    cpe:2.3:o:microsoft:windows_7:-:sp1:x86
  • Microsoft Windows Server 2003 Service Pack 2
    cpe:2.3:o:microsoft:windows_server_2003:-:sp2
  • Windows Server 2008 Service Pack 2 for 32-bit systems
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x32
  • Microsoft Windows Server 2008 Service Pack 2 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64
  • Microsoft Windows Server 2008 Service Pack 2
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2
  • Microsoft Windows Server 2008 r2 Service Pack 1 Itanium
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:itanium
  • Microsoft Windows Server 2008 R2 Service Pack 1 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:x64
  • Microsoft Windows Vista Service Pack 2
    cpe:2.3:o:microsoft:windows_vista:-:sp2
  • Microsoft Windows Vista Service Pack 2 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_vista:-:sp2:x64
  • Microsoft Windows XP Service Pack 2
    cpe:2.3:o:microsoft:windows_xp:-:sp2
  • Microsoft Windows XP Service Pack 3
    cpe:2.3:o:microsoft:windows_xp:-:sp3
CVSS
Base: 9.3 (as of 07-11-2011 - 14:55)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
metasploit via4
description This module searches for CVE-2011-3402 (Duqu) related registry artifacts.
id MSF:POST/WINDOWS/GATHER/FORENSICS/DUQU_CHECK
last seen 2019-03-20
modified 2017-07-24
published 2011-11-10
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/forensics/duqu_check.rb
title Windows Gather Forensics Duqu Registry Check
msbulletin via4
  • bulletin_id MS12-039
    bulletin_url
    date 2012-06-12T00:00:00
    impact Remote Code Execution
    knowledgebase_id 2707956
    knowledgebase_url
    severity Important
    title Vulnerabilities in Lync Could Allow Remote Code Execution
  • bulletin_id MS12-034
    bulletin_url
    date 2012-05-08T00:00:00
    impact Remote Code Execution
    knowledgebase_id 2681578
    knowledgebase_url
    severity Critical
    title Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
  • bulletin_id MS11-087
    bulletin_url
    date 2011-12-13T00:00:00
    impact Remote Code Execution
    knowledgebase_id 2639417
    knowledgebase_url
    severity Critical
    title Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
nessus via4
  • NASL family Windows
    NASL id SMB_KB2639658.NASL
    description The remote host has an unspecified code execution vulnerability in the Win32k TrueType font parsing engine. Specially crafted TrueType fonts are not properly handled, which could allow arbitrary code execution in kernel mode. A remote attacker could exploit this vulnerability by tricking a user into viewing a specially crafted TrueType font (e.g., via web or email). This vulnerability is reportedly exploited by the Duqu malware and is being exploited in the wild. Note that this plugin has been deprecated on December 13, 2011 with the publication by Microsoft of MS11-087.
    last seen 2017-10-29
    modified 2017-08-30
    plugin id 56711
    published 2011-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56711
    title MS KB2639658: Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege (DEPRECATED)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS12-034.NASL
    description The remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Win32k TrueType font parsing engine that allows an unauthenticated, remote attacker to execute arbitrary code by convincing a user to open a Word document containing malicious font data. (CVE-2011-3402) - A flaw exists in the t2embed.dll module when parsing TrueType fonts. An unauthenticated, remote attacker can exploit this, via a crafted TTF file, to execute arbitrary code. (CVE-2012-0159) - A flaw exists in the .NET Framework due to a buffer allocation error when handling an XBAP or .NET application. An unauthenticated, remote attacker can exploit this, via a specially crafted application, to execute arbitrary code. (CVE-2012-0162) - A flaw exists in the .NET Framework due to an error when comparing the value of an index in a WPF application. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2012-0164) - A flaw exists in GDI+ when handling specially crafted EMF images that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2012-0165) - A heap buffer overflow condition exists in Microsoft Office in the GDI+ library when handling EMF images embedded in an Office document. An unauthenticated, remote attacker can exploit this to execute arbitrary code by convincing a user to open a specially crafted document. (CVE-2012-0167) - A double-free error exists in agcore.dll when rendering XAML strings containing Hebrew Unicode glyphs of certain values. An unauthenticated, remote attacker can exploit this to execute arbitrary code by convincing a user to visit a specially crafted web page. (CVE-2012-0176) - A privilege escalation vulnerability exists in the way the Windows kernel-mode driver manages the functions related to Windows and Messages handling. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2012-0180) - A privilege escalation vulnerability exists in the way the Windows kernel-mode driver manages Keyboard Layout files. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2012-0181) - A privilege escalation vulnerability exists in the way the Windows kernel-mode driver manages scrollbar calculations. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2012-1848)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 59042
    published 2012-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59042
    title MS12-034: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS12-039.NASL
    description The remote Windows host is potentially affected by the following vulnerabilities : - Multiple code execution vulnerabilities exist in the handling of specially crafted TrueType font files. (CVE-2011-3402, CVE-2012-0159) - An insecure library loading vulnerability exists in the way that Microsoft Lync handles the loading of DLL files. (CVE-2012-1849) - An HTML sanitization vulnerability exists in the way that HTML is filtered. (CVE-2012-1858)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 59457
    published 2012-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59457
    title MS12-039: Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS11-087.NASL
    description The remote host is running a version of the Windows kernel that is affected by a remote code execution vulnerability. Specially crafted TrueType fonts are not properly handled, which could allow arbitrary code execution in kernel mode. A remote attacker could exploit this vulnerability by tricking a user into viewing a specially crafted TrueType font (e.g., via web or email). This vulnerability is reportedly being exploited in the wild by the Duqu malware.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 57273
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57273
    title MS11-087: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_MS12-034.NASL
    description The version of Microsoft Silverlight installed on the remote host is reportedly affected by several vulnerabilities : - Incorrect handling of TrueType font (TTF) files could lead to arbitrary code execution. (CVE-2011-3402 / CVE-2012-0159) - A double-free condition leading to arbitrary code execution could be triggered when rendering specially crafted XAML glyphs. (CVE-2012-0176)
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 59045
    published 2012-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59045
    title MS12-034: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578) (Mac OS X)
oval via4
  • accepted 2013-05-06T04:01:13.747-04:00
    class vulnerability
    contributors
    • name Josh Turpin
      organization Symantec Corporation
    • name Josh Turpin
      organization Symantec Corporation
    • name Sharath S
      organization SecPod Technologies
    definition_extensions
    • comment Microsoft Windows XP (x86) SP3 is installed
      oval oval:org.mitre.oval:def:5631
    • comment Microsoft Windows XP x64 Edition SP2 is installed
      oval oval:org.mitre.oval:def:4193
    • comment Microsoft Windows Server 2003 SP2 (x64) is installed
      oval oval:org.mitre.oval:def:2161
    • comment Microsoft Windows Server 2003 SP2 (x86) is installed
      oval oval:org.mitre.oval:def:1935
    • comment Microsoft Windows Server 2003 (ia64) SP2 is installed
      oval oval:org.mitre.oval:def:1442
    • comment Microsoft Windows Vista (32-bit) Service Pack 2 is installed
      oval oval:org.mitre.oval:def:6124
    • comment Microsoft Windows Vista x64 Edition Service Pack 2 is installed
      oval oval:org.mitre.oval:def:5594
    • comment Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed
      oval oval:org.mitre.oval:def:5653
    • comment Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed
      oval oval:org.mitre.oval:def:6216
    • comment Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
      oval oval:org.mitre.oval:def:6150
    • comment Microsoft Windows 7 (32-bit) is installed
      oval oval:org.mitre.oval:def:6165
    • comment Microsoft Windows 7 x64 Edition is installed
      oval oval:org.mitre.oval:def:5950
    • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
      oval oval:org.mitre.oval:def:6438
    • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
      oval oval:org.mitre.oval:def:5954
    • comment Microsoft Windows 7 (32-bit) Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12292
    • comment Microsoft Windows 7 x64 Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12627
    • comment Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12567
    • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12583
    description Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."
    family windows
    id oval:org.mitre.oval:def:13998
    status accepted
    submitted 2011-11-08T13:00:00
    title Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
    version 73
  • accepted 2014-08-18T04:01:12.393-04:00
    class vulnerability
    contributors
    • name SecPod Team
      organization SecPod Technologies
    • name Evgeniy Pavlov
      organization ALTX-SOFT
    definition_extensions
    • comment Microsoft Lync 2010 is installed
      oval oval:org.mitre.oval:def:15099
    • comment Microsoft Lync 2010 Attendee (user level install) is installed
      oval oval:org.mitre.oval:def:15641
    • comment Microsoft Lync 2010 Attendee (admin level install) is installed
      oval oval:org.mitre.oval:def:15556
    description Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."
    family windows
    id oval:org.mitre.oval:def:15290
    status accepted
    submitted 2012-06-18T15:13:15
    title TrueType Font Parsing Vulnerability (CVE-2011-3402)
    version 13
  • accepted 2015-08-10T04:00:20.036-04:00
    class vulnerability
    contributors
    • name Dragos Prisaca
      organization Symantec Corporation
    • name Josh Turpin
      organization Symantec Corporation
    • name Sergey Artykhov
      organization ALTX-SOFT
    • name Shane Shaffer
      organization G2, Inc.
    • name Sharath S
      organization SecPod Technologies
    • name Maria Kedovskaya
      organization ALTX-SOFT
    • name Maria Kedovskaya
      organization ALTX-SOFT
    • name Maria Kedovskaya
      organization ALTX-SOFT
    • name Maria Kedovskaya
      organization ALTX-SOFT
    • name Maria Mikhno
      organization ALTX-SOFT
    • name Maria Mikhno
      organization ALTX-SOFT
    • name Maria Mikhno
      organization ALTX-SOFT
    • name Maria Mikhno
      organization ALTX-SOFT
    • name Maria Mikhno
      organization ALTX-SOFT
    • name Maria Mikhno
      organization ALTX-SOFT
    definition_extensions
    • comment Microsoft Windows Vista (32-bit) Service Pack 2 is installed
      oval oval:org.mitre.oval:def:6124
    • comment Microsoft Windows Vista x64 Edition Service Pack 2 is installed
      oval oval:org.mitre.oval:def:5594
    • comment Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed
      oval oval:org.mitre.oval:def:5653
    • comment Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed
      oval oval:org.mitre.oval:def:6216
    • comment Microsoft Windows 7 (32-bit) is installed
      oval oval:org.mitre.oval:def:6165
    • comment Microsoft Windows 7 x64 Edition is installed
      oval oval:org.mitre.oval:def:5950
    • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
      oval oval:org.mitre.oval:def:6438
    • comment Microsoft Windows 7 (32-bit) Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12292
    • comment Microsoft Windows 7 x64 Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12627
    • comment Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12567
    • comment Microsoft Windows XP (x86) SP3 is installed
      oval oval:org.mitre.oval:def:5631
    • comment Microsoft Windows XP x64 Edition SP2 is installed
      oval oval:org.mitre.oval:def:4193
    • comment Microsoft Windows Server 2003 SP2 (x86) is installed
      oval oval:org.mitre.oval:def:1935
    • comment Microsoft Windows Server 2003 SP2 (x64) is installed
      oval oval:org.mitre.oval:def:2161
    • comment Microsoft Windows Server 2003 (ia64) SP2 is installed
      oval oval:org.mitre.oval:def:1442
    • comment Microsoft Windows Vista (32-bit) Service Pack 2 is installed
      oval oval:org.mitre.oval:def:6124
    • comment Microsoft Windows Vista x64 Edition Service Pack 2 is installed
      oval oval:org.mitre.oval:def:5594
    • comment Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed
      oval oval:org.mitre.oval:def:5653
    • comment Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed
      oval oval:org.mitre.oval:def:6216
    • comment Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
      oval oval:org.mitre.oval:def:6150
    • comment Microsoft Windows 7 (32-bit) is installed
      oval oval:org.mitre.oval:def:6165
    • comment Microsoft Windows 7 x64 Edition is installed
      oval oval:org.mitre.oval:def:5950
    • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
      oval oval:org.mitre.oval:def:6438
    • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
      oval oval:org.mitre.oval:def:5954
    • comment Microsoft Windows 7 (32-bit) Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12292
    • comment Microsoft Windows 7 x64 Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12627
    • comment Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12567
    • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12583
    • comment Microsoft Windows XP (x86) SP3 is installed
      oval oval:org.mitre.oval:def:5631
    • comment Microsoft Windows XP x64 Edition SP2 is installed
      oval oval:org.mitre.oval:def:4193
    • comment Microsoft Windows Server 2003 SP2 (x64) is installed
      oval oval:org.mitre.oval:def:2161
    • comment Microsoft Windows Server 2003 SP2 (x86) is installed
      oval oval:org.mitre.oval:def:1935
    • comment Microsoft Windows Server 2003 (ia64) SP2 is installed
      oval oval:org.mitre.oval:def:1442
    • comment Microsoft Windows Vista (32-bit) Service Pack 2 is installed
      oval oval:org.mitre.oval:def:6124
    • comment Microsoft Windows Vista x64 Edition Service Pack 2 is installed
      oval oval:org.mitre.oval:def:5594
    • comment Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed
      oval oval:org.mitre.oval:def:5653
    • comment Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed
      oval oval:org.mitre.oval:def:6216
    • comment Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
      oval oval:org.mitre.oval:def:6150
    • comment Microsoft Windows 7 (32-bit) is installed
      oval oval:org.mitre.oval:def:6165
    • comment Microsoft Windows 7 x64 Edition is installed
      oval oval:org.mitre.oval:def:5950
    • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
      oval oval:org.mitre.oval:def:6438
    • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
      oval oval:org.mitre.oval:def:5954
    • comment Microsoft Windows 7 (32-bit) Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12292
    • comment Microsoft Windows 7 x64 Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12627
    • comment Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12567
    • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition Service Pack 1 is installed
      oval oval:org.mitre.oval:def:12583
    • comment Microsoft Windows XP (x86) SP3 is installed
      oval oval:org.mitre.oval:def:5631
    • comment Microsoft Windows XP x64 Edition SP2 is installed
      oval oval:org.mitre.oval:def:4193
    • comment Microsoft Windows Server 2003 SP2 (x86) is installed
      oval oval:org.mitre.oval:def:1935
    • comment Microsoft Windows Server 2003 SP2 (x64) is installed
      oval oval:org.mitre.oval:def:2161
    • comment Microsoft Windows Server 2003 (ia64) SP2 is installed
      oval oval:org.mitre.oval:def:1442
    • comment Microsoft Silverlight 4 is installed
      oval oval:org.mitre.oval:def:14639
    • comment Microsoft Silverlight 5 is installed
      oval oval:org.mitre.oval:def:15148
    • comment Microsoft Office 2003 is installed
      oval oval:org.mitre.oval:def:233
    • comment Microsoft Office 2007 is installed
      oval oval:org.mitre.oval:def:1211
    • comment Microsoft Office 2010 is installed
      oval oval:org.mitre.oval:def:12061
    description Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."
    family windows
    id oval:org.mitre.oval:def:15645
    status accepted
    submitted 2012-05-08T13:00:00
    title TrueType Font Parsing Vulnerability (CVE-2011-3402)
    version 106
refmap via4
cert
  • TA11-347A
  • TA12-129A
  • TA12-164A
confirm
misc
ms
  • MS11-087
  • MS12-034
  • MS12-039
sectrack 1027039
secunia
  • 49121
  • 49122
Last major update 06-03-2013 - 23:47
Published 04-11-2011 - 17:55
Last modified 26-02-2019 - 09:04
Back to Top