|CERT-In Vulnerability Note
Remote Code Execution Vulnerability in Microsoft Windows Uniscribe
Original Issue Date:December 09, 2015
Severity Rating: HIGH
- Windows 7 Service Pack 1 (32 bit and 64 bit systems)
- Windows Server 2008 R2 Service Pack 1 (64 based and Itanium based systems)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
A remote code execution vulnerability has been reported in Microsoft Windows Uniscribe which could be exploited by an attacker to execute arbitrary code and cause denial of service conditions on the targeted system.
This vulnerability exists in Microsoft Windows Uniscribe due to improper parsing of specially crafted fonts. Uniscribe is a set of APIs that allow a high amount of control for fine typography and for processing complex scripts. An attacker could exploit this vulnerability by creating a specially crafted web page and enticing the user to visit this page.
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the targeted system, install software and view, change, or delete data or create new accounts with admin rights. Failed attempt of the attacker could also cause denial of service conditions.
Apply appropriate patches as mentioned in Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003