PT-2009-4921 · Microsoft · Windows 2000+3
Tavis Ormandy
·
Published
2009-11-11
·
Updated
2023-12-07
·
CVE-2009-2514
CVSS v2.0
9.3
High
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Windows 2000 SP4
Windows XP SP2
Windows XP SP3
Windows Server 2003 SP2
Description
A remote code execution issue exists due to the improper parsing of font code when building a table of directory entries. This allows remote attackers to execute arbitrary code via a crafted Embedded OpenType (EOT) font. An attacker who successfully exploited this issue could run arbitrary code in kernel mode, then install programs, view, change, or delete data, or create new accounts with full user rights.
Recommendations
For Windows 2000 SP4, update to a newer version to mitigate the risk.
For Windows XP SP2, update to a newer version to mitigate the risk.
For Windows XP SP3, update to a newer version to mitigate the risk.
For Windows Server 2003 SP2, update to a newer version to mitigate the risk.
Exploit
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Windows
Windows 2000
Windows Server 2003
Windows Xp