====================================================================== Secunia Research 08/12/2015 Microsoft Windows usp10.dll "GetFontDesc()" Integer Underflow Vulnerability ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software * Microsoft Windows 7 * Microsoft Windows Server 2008 ====================================================================== 2) Severity Rating: Highly critical Impact: System Access Where: From remote ====================================================================== 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an integer underflow error within the "GetFontDesc()" function in usp10.dll when processing font files cmap table and can be exploited to cause a heap-based buffer overflow via a font file containing cmap table data with specially crafted offset within encoding records. Successful exploitation allows execution of arbitrary code. ====================================================================== 4) Solution Apply update provided by MS15-130. ====================================================================== 5) Time Table 09/10/2015 - Vendor notified. 12/10/2015 - Vendor response. 17/10/2015 - Status update provided by the vendor. 28/10/2015 - Vendor provides December 2015 as intended fix date. 08/12/2015 - Release of vendor patch and public disclosure. ====================================================================== 6) Credits Discovered by Hossein Lotfi, Secunia Research (now part of Flexera Software). ====================================================================== 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2015-6130 identifier for the vulnerability. ====================================================================== 8) About Secunia (now part of Flexera Software) In September 2015, Secunia has been acquired by Flexera Software: https://secunia.com/blog/435/ Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/products/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/company/jobs/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2015-6/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================