CVE Alert: CVE-2011-3402 – n/a – n/a
CVE-2011-3402
Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."
AI Summary Analysis
Risk verdict
High-risk with active exploitation and known exploit history; treat as priority 1.
Why this matters
A kernel-level remote code execution via crafted TrueType font data means an attacker can gain full control of affected endpoints after a user opens a poisoned Word document or web page. Historically linked to high-profile campaigns (Duqu), the combination of network vector with user interaction raises the chance of rapid, widespread impact across desktops and servers still running older Windows editions.
Most likely attack path
Attacker sends a crafted font payload over a document or webpage (network vector), user opens it (UI: required), no local privileges required. Successful exploitation yields kernel-level code execution (PR:N, UI:R, C/I/A:H), enabling persistence and potential lateral movement within trusted networks (Scope unchanged). Precondition is the victim using an unpatched Windows environment susceptible to the font-parsing vulnerability.
Who is most exposed
Organizations with legacy Windows deployments (XP/2003/Vista/2008-era), and environments where users frequently open external Word documents or browse untrusted pages, remain at highest risk.
Detection ideas
- Unusual win32k.sys or font parsing related kernel events in security logs.
- Attempts to load or parse Tampered TrueType data triggered by Word/IE/Edge processes.
- Spike in crash or fault events linked to font rendering followed by rapid process spawning.
- Post-open anomalous code or script execution associated with Office documents.
- Correlated alerts from EDR/EDR-like telemetry after document open events.
Mitigation and prioritisation
- Apply the latest Microsoft security updates (MS11-087 lineage and successors); confirm coverage for all affected Windows versions; test before broad rollout. Treat as priority 1.
- Enforce Protected View, disable auto-run macros in Office, and restrict opening documents from untrusted sources; implement network segmentation and application allow lists.
- Consider endpoint hardening: updated EDR, kernel audit logging, and rapid patch-management cycles; plan for upgrade of end-of-life systems.
- If patching is delayed, implement compensating controls: restrict web access to trusted fonts, disable font embedding in Office where feasible, and monitor for font-rendering anomalies.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
