FYI...Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
• V1.0 (November 3, 2011): Advisory published.
• V1.1 (November 3, 2011): Added localization notation to the Workarounds section.
• V1.2 (November 4, 2011): Revised the workaround, Deny access to T2EMBED.DLL, to improve support for non-English versions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Customers with non-English versions of Microsoft Windows should reevaluate the applicability of the revised workaround for their environment.
V1.3 (November 8, 2011): Added link to MAPP Partners with Updated Protections in the Executive Summary.
November 03, 2011 - "Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks
that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware
. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs...
Workarounds: Deny access to T2EMBED.DLL
Note: See Microsoft Knowledge Base Article 2639658* to use the automated Microsoft Fix it solution
to enable or disable this workaround to deny access to t2embed.dll..."
November 3, 2011 - Revision: 1.0
Impact of Workaround. Applications that rely on embedded font technology will fail to display properly.
Last revised: 11/07/2011
CVSS v2 Base Score: 9.3 (HIGH)
Last Update: 2011-11-07
Criticality level: Extremely critical
Impact: System access
Where: From remote...
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3402
... Reported as a 0-day.
Solution: Apply the Microsoft Fix it*...
Updated: Nov 4 2011
Impact: Execution of arbitrary code via network, User access via network
Vendor Confirmed: Yes
Version(s): XP SP3, 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1; and prior service packs...
... A remote user can create a specially crafted document that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with kernel level privileges. The vulnerability resides in the Win32k.sys kernel driver in the parsing of TrueType fonts...
NOTE: "... The vulnerability cannot be exploited automatically via email unless the user opens an attachment sent in an email message
U.S.CERT: Critical alert
November 1, 2011