Credit: @promised_lu and @zer0mem
This win32k bug, still unpatched, resides in the TrueType Font code shipped with win8.1. Details regarding the exploitation technique and a high abstracted description of the bug were presented at recon this year, and the exploit was used to win at pwn2own 2015.