The TrueType Fonts rasterizer in Microsoft Windows 2000 SP4 allows local users to gain privileges via crafted TrueType fonts, which result in an uninitialized function pointer.
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-017