Vulnerability Name: CVE-2011-3402 (CCN-71073) Assigned: 2011-10-11 Published: 2011-10-11 Updated: 2020-09-28 Summary: Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability." CVSS v3 Severity: 10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C 7.7 High (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
9.3 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C 7.7 High (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-noinfo Vulnerability Consequences: Gain Access References: Source: MISChttp://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%E2%80%93-further-tales-of-the-stuxnet-files http://blogs.technet.com/b/msrc/archive/2011/11/03/microsoft-releases-security-advisory-2639658.aspx CVE-2011-3402 Post Windows Gather Forensics Duqu Registry Check http://isc.sans.edu/diary/Duqu+Mitigation/11950 Microsoft Windows win32k.sys TrueType Font Parsing Vulnerability Microsoft Lync / Office Communicator Multiple Vulnerabilities Microsoft Office Multiple Vulnerabilities 49121 Microsoft Silverlight Multiple Vulnerabilities 49122 Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465) Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653) Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578) Vulnerabilities in Lync Could Allow Remote Code Execution (2707956) Vulnerabilities in HTML Sanitization Component Could Allow Elevation of Privilege (2741517) Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2720184) Vulnerability in Silverlight Could Allow Remote Code Execution (2814124) Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2780176) Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2821818) Vulnerability in Lync Could Allow Remote Code Execution (2834695) Vulnerability in Windows Components Could Allow Remote Code Execution (2848295) Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052) Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300) Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2885089) Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2885080) Vulnerability in Microsoft Lync Could Allow Information Disclosure Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689) Vulnerability in Microsoft SharePoint Server Could Allow Elevation of Privilege (3000431) Vulnerabilities in MicrosoftExcel Could Allow Remote Code Execution (3017347) Security Updates for Microsoft Office to Address Remote Code Execution (3104540) Security Update for Microsoft Office to Address Remote Code Execution (3116111) Security Update for Microsoft Office to Address Remote Code Execution - Critical (3124585) Security Update for Microsoft Office to Address Remote Code Execution (3134226) Security Update for Microsoft Office to Address Remote Code Execution (3141806) Security Update for Microsoft Office (3148775) Security Update for Microsoft Office (3155544) Security Update for Office (3163610) Security Updates for Office (3170008) Security Update for Office (3177451) Security Update for Microsoft Office (3185852) Security Update for Microsoft Office (3194063) Security Update for Microsoft Office (3199168) Security Update for Microsoft Office (3204068) Security Update for Microsoft Office (3214291) Security Update for Microsoft Graphics Component (4013075) Security Update for Microsoft Office (4013241) http://technet.microsoft.com/security/advisory/2639658 Microsoft Windows http://www.securelist.com/en/blog/208193197/The_Mystery_of_Duqu_Part_Two Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability 1027039 http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf W32.Duqu TA11-347A TA12-129A TA12-164A http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-291-01E.pdf MS11-087 MS12-034 MS12-039 ms-win-duqu-code-execution(71073) oval:org.mitre.oval:def:13998 oval:org.mitre.oval:def:15290 oval:org.mitre.oval:def:15645 Vulnerable Configuration: Configuration 1 :cpe:/o:microsoft:windows_7:-:sp1:*:*:ultimate_n:*:x64:* OR cpe:/o:microsoft:windows_7:-:sp1:*:*:ultimate_n:*:x86:* OR cpe:/o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:* OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:* OR cpe:/o:microsoft:windows_xp:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_xp:*:sp3:*:*:*:*:*:* Configuration CCN 1 :cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:* OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:* OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:* OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x64:* OR cpe:/o:microsoft:windows:xp:sp3:*:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:-:sp2:x64:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:-:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:* OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_7:-:*:*:*:*:*:x32:* OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:itanium:* OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:itanium:* OR cpe:/o:microsoft:windows_7:-:sp1:*:*:ultimate_n:*:x64:* OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:* OR cpe:/a:microsoft:lync:2010:*:*:*:*:*:*:* OR cpe:/a:microsoft:lync:2010:*:attendee:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2012:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_8:*:*:*:*:*:*:*:* Oval Definitions BACK
microsoft windows 7 - sp1
microsoft windows 7 - sp1
microsoft windows server 2003 * sp2
microsoft windows server 2008 * sp2
microsoft windows server 2008 * sp2
microsoft windows server 2008 - sp2
microsoft windows vista * sp2
microsoft windows vista * sp2
microsoft windows xp * sp2
microsoft windows xp * sp3
microsoft windows server_2003 sp2
microsoft windows server_2003 sp2
microsoft windows server_2003 sp2
microsoft windows xp sp2
microsoft windows server 2008 -
microsoft windows xp sp3
microsoft windows vista - sp2
microsoft windows vista - sp2
microsoft windows server 2008 sp2
microsoft windows server 2008 sp2
microsoft windows 7 -
microsoft windows server 2008 - r2
microsoft windows server 2008 r2
microsoft windows server 2008
microsoft windows 7 - sp1
microsoft windows server 2008 r2 sp1
microsoft windows server 2008 r2 sp1
microsoft lync 2010
microsoft lync 2010
microsoft windows server 2012
microsoft windows 8 *
Denotes that component is vulnerable