Multiple vulnerabilities in Microsoft Graphics Component
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2017-11763 CVE-2017-8693 CVE-2017-11824 CVE-2017-11762 |
| CWE-ID | CWE-20 CWE-200 CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Windows Operating systems & Components / Operating system Windows Server Operating systems & Components / Operating system |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU8761
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11763
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to input validation error the Windows font library improperly handles specially crafted embedded fonts. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Install updates from vendor's website.
Vulnerable software versionsWindows: 7 - 10
Windows Server: 2008 - 2016 10.0.14393.10
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11763
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU8762
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8693
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists due to an error when the Microsoft Windows Graphics Component improperly handles objects in memory. A local attacker can run a specially crafted application and gain access to potentially sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 10
Windows Server: 2016 10.0.14393.10
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8693
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Memory corruption
EUVDB-ID: #VU8763
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11824
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when the Windows Graphics Component improperly handles objects in memory. A local attacker can run a specially crafted application, trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Install updates from vendor's website.
Vulnerable software versionsWindows: 7 - 10
Windows Server: 2008 - 2016 10.0.14393.10
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11824
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper input validation
EUVDB-ID: #VU8725
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11762
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to improper handling of specially crafted embedded fonts by the Windows font library. A remote attacker can send a specially crafted content, trick the victim into opening it and execute arbitrary code with SYSTEM privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsWindows: 7 - 10
Windows Server: 2008 - 2016 10.0.14393.10
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11762
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
