Overview
A heap-based buffer overflow in the way Microsoft Windows processes embedded web fonts may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Microsoft Windows contains a heap-based buffer overflow in a routine that processes embedded web fonts. The overflow exists due to a lack of validation on compressed embedded web fonts. A remote attacker may be able to trigger the buffer overflow by persuading a user to access a web page or HTML email containing a specially crafted embedded web font. For more information about affected versions of Microsoft Windows, please refer to MS06-002. |
Impact
A remote attacker may be able to execute arbitrary code with the privileges of the attacked user account. |
Solution
Apply an update |
In addition Microsoft suggests the following workarounds to mitigate this vulnerability:
Please see Microsoft Security Bulletin MS06-002 for details on these workarounds. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported in Microsoft Security Bulletin MS06-002. Microsoft credits eEye Digital Security with providing information regarding this issue.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2006-0010 |
| Severity Metric: | 10.69 |
| Date Public: | 2006-01-10 |
| Date First Published: | 2006-01-10 |
| Date Last Updated: | 2006-01-10 20:31 UTC |
| Document Revision: | 34 |