Microsoft Windows TrueType Parsing Engine Code Execution

November 8, 2011

TrueType is an outline font standard originally developed by Apple Computer in the late 1980s as a competitor to Adobe's Type 1 fonts used in PostScript. TrueType has become the most common format for fonts on both the Mac OS and Microsoft Windows operating systems. In Microsoft Windows, the OS uses a Windows component, the Win32k TrueType font parsing engine to analyze the TTF data.

A remote code execution vulnerability has been found in Microsoft Windows. Especially the vulnerability was found in the Win32k TrueType font parsing engine. By exploiting this vulnerability, an attacker could run arbitrary code in kernel mode on the target system. This vulnerability is related to the Duqu malware.

SonicWALL UTM team has researched this vulnerability and released a GAV signature as following:

  • 56984 TTF.Exp.MP.1

The vulnerability has been referred by the vendor, Microsoft as 2639658, and it's referred by CVE as CVE-2011-3402.