[Microsoft Alert] Microsoft Security Bulletin MS06-002

Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)

Issued: January 10, 2006

Version: 1.0

Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: None.

Vulnerability Details:

A remote code execution vulnerability exists in Windows because of the way that it handles malformed embedded Web fonts. An attacker could exploit the vulnerability by constructing a malicious embedded Web font that could potentially allow remote code execution if a user visited a malicious Web site or viewed a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Affected Software:

Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

Microsoft Windows Server 2003 x64 Edition family

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems

References:http://www.microsoft.com/security/bulletins/current.mspx (Microsoft Security Updates)