cbcvebase.
CVE-2015-2458
published 2015-08-15

CVE-2015-2458: ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1…

PriorityP272critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.35%
98.1th percentile
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2459 and CVE-2015-2461.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37923.zip
filenameATMFD.DLL
  • Kernel bugcheck 0xD6 (DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION) originating from ATMFD.DLL is a strong indicator of exploitation attempts against this CVE; monitor for such crash dumps.
  • Faulting instruction pointer within ATMFD module at offset 0x2a902 performing an out-of-bounds byte read; kernel crash logs showing ATMFD+0x2a902 in the stack trace indicate active exploitation.
  • Stack trace involving win32k!NtGdiGetTextExtentExW -> win32k!GreGetTextExtentExW -> ATMFD call chain is characteristic of this vulnerability being triggered via crafted OpenType font processing.
  • Enabling Special Pools for ATMFD.DLL on test/canary systems will cause an immediate crash upon exploitation, aiding in reliable detection of malicious OTF font files targeting this vulnerability.
  • Crafted OpenType (OTF) font files delivered to Windows systems trigger out-of-bounds reads in the ATMFD.DLL PostScript CharString interpreter; inspect OTF files for malformed CharString instruction streams.
  • ·The exact root cause of the out-of-bounds CharString stream read in ATMFD.DLL is unknown; the crash may not always be immediately observable on default Windows installations without Special Pools enabled.
  • ·The vulnerability reproduces on Windows 7; behaviour on other affected platforms (Vista SP2, Server 2008, Windows 8/8.1, Server 2012, RT, Windows 10) may differ in crash reliability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.