Not long ago I came across a certain font related vulnerability, it was a 0day being exploited in the wild. The vulnerability was in a driver I was somewhat familiar with  ATFMD.SYS.
But what caught my eye this time was how the exploit was getting System privileges in a very elegant and clean way.
The mechanics of this technique involve patching the kernel structure representing a bitmap (SURFOBJ), turning it into a powerful arbitrary read/write primitive.
Alex Ionescu touched on the subject of Win32k shared memory regions in his excellent 2013 talk. But he didn’t mention this one, in fact the only previous mention of this technique I could find was by Keen Team in June 2015 .