More details about the exploit at: http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vulnerability-from-the-hacking-team-leak/.
Clearly there is a bug in the code, but more importantly why is a font driver running in kernel mode? Would running the code in user space not reduce the effectiveness of the bug?
History: Windows NT 3.51 had the Win32 stuff, as the primary subsystem be run in CSRSS, and Windows was good and like a microkernel. Enter Windows NT 4.0. The Win32 stuff is moved into a kernel driver called win32k.sys, to improve speed. (Printing was moved into the kernel as well.)
To improve reliability and security, since Vista is undoing a lot of this. (Example: When GPU drivers crash, they can gracefully restart.)
Note I am not a Dave Cutler or Mark Russinovich, and as such, my knowledge of NT’s guts may be a bit off.