CVE-2015-2387
published 2015-07-14CVE-2015-2387: ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1…
PriorityP279high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
36.74%
98.3th percentile
ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "ATMFD.DLL Memory Corruption Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability resides in ATMFD.DLL (Adobe Type Manager Font Driver); monitor for suspicious loading or activity involving this DLL in privileged contexts ↗
- →Flag local privilege escalation attempts leveraging crafted applications that interact with the ATM Font Driver (ATMFD.DLL); this vulnerability is known to be actively exploited per CISA KEV ↗
- ·This is a local privilege escalation vulnerability; exploitation requires local access — remote-only detection strategies are insufficient ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Microsoft Windows Vista SP2 up to Server 2012 R2 Adobe Type Manager Font Driver ATMFD.DLL access control (MS15-077 / Nessus ID 84746)
vuldb·2026-04-22·CVSS 7.8
CVE-2015-2387 [HIGH] Microsoft Windows Vista SP2 up to Server 2012 R2 Adobe Type Manager Font Driver ATMFD.DLL access control (MS15-077 / Nessus ID 84746)
A vulnerability was found in Microsoft Windows Vista SP2 up to Server 2012 R2 and classified as problematic. Affected by this vulnerability is an unknown functionality in the library ATMFD.DLL of the component Adobe Type Manager Font Driver. Such manipulation leads to improper access controls.
This vulnerability is uniquely identified as CVE-2015-2387. Local access is required to approach this attack. Moreover, an exploit is present.
Applying a patch is advised to resolve this issue.
GHSA
GHSA-35f2-76rg-h8vq: ATMFD
ghsa_unreviewed·2022-05-14
CVE-2015-2387 [HIGH] CWE-787 GHSA-35f2-76rg-h8vq: ATMFD
ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "ATMFD.DLL Memory Corruption Vulnerability."
Project0
A year of Windows kernel font fuzzing #1: the results - Project Zero
project_zero·2016-06-01
CVE-2015-2387 A year of Windows kernel font fuzzing #1: the results - Project Zero
Posted by Mateusz Jurczyk of Google Project Zero
This post series is about how we used at-scale fuzzing to discover and report a total of 16 vulnerabilities in the handling of TrueType and OpenType fonts in the Windows kernel during the last year. In part #1 here, we present a general overview of the font security area, followed by a high-level explanation of the fuzzing effort we have undertaken, including the overall results and case studies of two bug collisions. In the upcoming part #2, we will share the specific technical details of the project, and how we tried to optimize each part of the process to the maximum extent, and go beyond the current state of the art in Windows kernel font fuzzing. Read on!
##
Background
To most readers of this blog, the fact that fonts are a very si
VulnCheck
Microsoft ATM Font Driver Privilege Escalation Vulnerability
vulncheck·2015·CVSS 7.8
CVE-2015-2387 [HIGH] CWE-264 Microsoft ATM Font Driver Privilege Escalation Vulnerability
Microsoft ATM Font Driver Privilege Escalation Vulnerability
ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows Server allows local users to gain privileges via a crafted application.
Affected: Microsoft ATM Font Driver
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://resources.infosecinstitute.com/topic/the-hacking-team-hack-when-hackers-have-become-the-target/; https://www.trendmicro.com/en_us/research/15/g/hacking-team-leak-uncovers-another-windows-zero-day-ms-releases-patch.html; https://www.recordedfuture.com/russian-apt-toolkits; https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf; https://marcoramilli.com/2019/12/05/apt28-at
CISA
Microsoft ATM Font Driver Privilege Escalation Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2015-2387 [HIGH] CWE-264 Microsoft ATM Font Driver Privilege Escalation Vulnerability
Vulnerability: Microsoft ATM Font Driver Privilege Escalation Vulnerability
Affected: Microsoft ATM Font Driver
ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows Server allows local users to gain privileges via a crafted application.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2015-2387
Remediation Due Date: 2022-03-24
No detection rules found.
No public exploits indexed.
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
Tenable
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
blogs_tenable·2021-01-21
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Update2: Patch Tuesday July 2015 | Qualys
blogs_qualys·2015-07-14·CVSS 9.8
[CRITICAL] Update2: Patch Tuesday July 2015 | Qualys
Update2: Microsoft released a critical bulletin MS15-078 for a font problem that affects all versions of Windows and allows Remote Code Execution. Microsoft credits Google’s Project Zero, Fireeye and TrendMicro. TrendMicro indicates that the vulnerability came out of the HackingTeam data breach. Google’s entry for the bug indicates that they are aware of exploit code avaliable in the wild, which explains Microsoft’s out-of-band release. Patch as quickly as possible.
Update : Oracle’s CPU July 2015 fixes the 0-day vulnerability CVE-2015-2590 in Java reported by Trend Micro. We recommend treating this patch with high priority. Note: if you think you cannot use new Java due to requirements for old versions, have you looked at Oracle’s deployment rulesets?
Original : When we started preparin
Talos
Microsoft Patch Tuesday – July 2015
blogs_talos·2015-07-14·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday – July 2015
## Microsoft Patch Tuesday – July 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 57 CVEs. Four of the bulletins are listed as Critical and address vulnerabilities in Windows Server Hyper-V, VBScript Scripting Engine, Remote Desktop Protocol (RDP) and Internet Explorer. The remaining ten bulletins are marked as Important and address vulnerabilities in SQL Server, Windows DCOM RPC, NETLOGON, Windows Graphic Component, Windows Kernel Mode Driver, Microsoft Office, Windows Installer, Windows, and OLE.
## Bulletins Rated Critical MS15-065, MS15-066, MS15-067 and MS15-068 are rated Critical.
MS15-065 is this month’s Inte
Talos
Microsoft Patch Tuesday – July 2015
blogs_talos·2015-07-14·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday – July 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 57 CVEs. Four of the bulletins are listed as Critical and address vulnerabilities in Windows Server Hyper-V, VBScript Scripting Engine, Remote Desktop Protocol (RDP) and Internet Explorer. The remaining ten bulletins are marked as Important and address vulnerabilities in SQL Server, Windows DCOM RPC, NETLOGON, Windows Graphic Component, Windows Kernel Mode Driver, Microsoft Office, Windows Installer, Windows, and OLE.
## Bulletins Rated CriticalMS15-065, MS15-066, MS15-067 and MS15-068 are rated Critical.
MS15-065 is this month’s Internet Explorer security bulletin with vuln
Qualys
Update2: Patch Tuesday July 2015 | Qualys
blogs_qualys·2015-07-14·CVSS 9.8
[CRITICAL] Update2: Patch Tuesday July 2015 | Qualys
Update2: Microsoft released a critical bulletin MS15-078 for a font problem that affects all versions of Windows and allows Remote Code Execution. Microsoft credits Google’s Project Zero, Fireeye and TrendMicro. TrendMicro indicates that the vulnerability came out of the HackingTeam data breach. Google’s entry for the bug indicates that they are aware of exploit code avaliable in the wild, which explains Microsoft’s out-of-band release. Patch as quickly as possible.
Update: Oracle’s CPU July 2015 fixes the 0-day vulnerability CVE-2015-2590 in Java reported by Trend Micro. We recommend treating this patch with high priority. Note: if you think you cannot use new Java due to requirements for old versions, have you looked at Oracle’s deployment rulesets?
Original: When we started preparing
Threat Intel
APT28 (APT28, IRON TWILIGHT, SNAKEMACKEREL)
threat_intel
APT28 (APT28, IRON TWILIGHT, SNAKEMACKEREL)
# Threat Actor Profile: APT28
ATT&CK ID: G0007
Also known as: APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch
Suspected origin: Russia
## Overview
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-412
Zscaler
Zscaler found Multiple Security Vulnerabilities | 07-21-2015
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 07-21-2015
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Zscaler found IE & MS Office Vulnerabilities | 07-14-2015
blogs_zscaler
Zscaler found IE & MS Office Vulnerabilities | 07-14-2015
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.securityfocus.com/bid/75587http://www.securitytracker.com/id/1032908http://www.us-cert.gov/ncas/alerts/TA15-195Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-077http://www.securityfocus.com/bid/75587http://www.securitytracker.com/id/1032908http://www.us-cert.gov/ncas/alerts/TA15-195Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-077https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-2387
2015-07-14
Published
2022-03-03
Added to CISA KEV
Exploited in the wild