CVE-2015-2432
published 2015-08-15CVE-2015-2432: ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1…
PriorityP270critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.27%
98.0th percentile
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for kernel crashes (PAGE_FAULT_IN_NONPAGED_AREA / BUGCHECK 0x50) originating from ATMFD.DLL, specifically write faults at ATMFD+0x345c9 involving an uninitialized pool pointer (EAX=a3a3a3a3) dereferenced via 'or dword ptr [eax+38h], 10h'. ↗
- →Treat any crafted OTF/OpenType font file that triggers a malformed CFF table as a potential exploit artifact for CVE-2015-2432; the vulnerability is a write to an uninitialized address caused by the CFF table supplying an inflated pointer-array count (EBX=8) while only 4 pointers are initialized. ↗
- →Enable Special Pools for ATMFD.DLL during forensic analysis or sandboxed detonation to force an immediate, deterministic crash when the bug is triggered, aiding reliable detection of exploit attempts. ↗
- ·The crash and uninitialized-pointer pattern (a3a3a3a3) is only reliably observable when Driver Verifier / Special Pools is enabled for ATMFD.DLL; on default Windows installations the pool bytes may differ, making the specific byte signature less reliable as a universal indicator. ↗
- ·Symbols for ATMFD.DLL may not be available in all environments, limiting the reliability of offset-based detection rules (e.g., ATMFD+0x345c9) across different patch levels or builds. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.securitytracker.com/id/1033238https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-080https://www.exploit-db.com/exploits/37920/http://www.securitytracker.com/id/1033238https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-080https://www.exploit-db.com/exploits/37920/
2015-08-15
Published