MS10-001: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)
High Nessus Plugin ID 43865
SynopsisIt is possible to execute arbitrary code on the remote Windows host
using the Embedded OpenType Font Engine.
DescriptionThe remote Windows host contains a version of the Embedded OpenType
(EOT) Font Engine that is affected by an integer overflow
vulnerability in the 'LZCOMP' decompressor when decompressing a
specially crafted font.
If an attacker can trick a user on the affected system into viewing
content rendered in a specially crafted EOT font, this issue could be
leveraged to execute arbitrary code subject to the user's privileges.
SolutionMicrosoft has released a set of patches for Windows 2000, XP, 2003,
Vista, 2008, and Windows 7.