The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Windows, Office, .NET, Lync: code execution via TrueType

Synthesis of the vulnerability 

An attacker can invite the victim to open a document containing a malicious font, generating an error in the Windows kernel, in order to execute code.
Vulnerable systems: Lync, Office, Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word, Visual Studio, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista, Windows XP.
Severity of this threat: 4/4.
Creation date: 09/07/2013.
Références of this weakness: 2848295, CERTA-2013-AVI-400, CVE-2013-3129, MS13-054, VIGILANCE-VUL-13082.

Description of the vulnerability 

A document (Word or HTML for example) can be written with a TrueType font.

However, if the font is malformed, an error occurs in GDI+.

An attacker can therefore invite the victim to open a document containing a malicious font, generating an error in the Windows kernel, in order to execute privileged code. A malicious web page can also be used as an attack vector.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness impacts software or systems such as Lync, Office, Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word, Visual Studio, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista, Windows XP.

Our Vigil@nce team determined that the severity of this vulnerability note is critical.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this cybersecurity threat.

Solutions for this threat 

Windows, Office, .NET, Lync: patch for TrueType.
A patch is available in information sources.
The Microsoft announce indicates workarounds.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides applications vulnerabilities analysis. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.