CVE-2015-2459
published 2015-08-15CVE-2015-2459: ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1…
PriorityP272critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.35%
98.1th percentile
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2458 and CVE-2015-2461.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Enable Special Pools for ATMFD.DLL to force an immediate crash on trigger, aiding in detection and reproduction of the vulnerability in lab/forensic environments. ↗
- →Look for pool tag 'Adbe' (Adobe font driver kernel pool allocations) in memory forensics; corruption or use-after-free of these allocations is the root cause mechanism of this vulnerability. ↗
- →Delivery vector is a crafted OpenType Font (OTF) file processed by ATMFD.DLL; inspect OTF files with malformed CFF tables for exploitation of this CVE. ↗
- ·The vulnerability affects ATMFD.DLL across multiple Windows versions (Vista SP2 through Windows 10); the faulting offsets (0x34072 / 0x3407b) are specific to the vulnerable build and may differ across OS versions or patch levels. ↗
- ·The crash at ATMFD+0x34072 may not always be observed on default Windows installations without Special Pools enabled; detection based solely on crash signatures may miss exploitation on unmodified systems. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jvrr-j3q9-qv8w: ATMFD
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2015-2458 [CRITICAL] CWE-20 GHSA-jvrr-j3q9-qv8w: ATMFD
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2459 and CVE-2015-2461.
GHSA
GHSA-w5xx-wqgc-vg9r: ATMFD
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2015-2461 [CRITICAL] CWE-20 GHSA-w5xx-wqgc-vg9r: ATMFD
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2458 and CVE-2015-2459.
GHSA
GHSA-244f-jjf4-gvqg: ATMFD
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2015-2459 [CRITICAL] CWE-20 GHSA-244f-jjf4-gvqg: ATMFD
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2458 and CVE-2015-2461.
No detection rules found.
Exploit-DB
Microsoft Windows - 'ATMFD.DLL' CFF table (ATMFD+0x34072 / ATMFD+0x3407b) Invalid Memory Access
exploitdb·2015-08-21
CVE-2015-2459 Microsoft Windows - 'ATMFD.DLL' CFF table (ATMFD+0x34072 / ATMFD+0x3407b) Invalid Memory Access
Microsoft Windows - 'ATMFD.DLL' CFF table (ATMFD+0x34072 / ATMFD+0x3407b) Invalid Memory Access
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=383&can=1
We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff67a024, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 98b54072, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
*** ERROR: Modul
Nuclei
Combodo iTop <2.2.0-2459 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2015-6544 [MEDIUM] Combodo iTop <2.2.0-2459 - Cross-Site Scripting
Combodo iTop alert(document.domain)'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a0047304502203ec0a1d219275f5a6397254b60802b9509181d6e6af80e06357d0381ee6f814d022100dc8964640f764f2e50bdd822a39efd33b54c37db5320c2d35be9d615a5b8c820:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
http://www.securitytracker.com/id/1033238https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-080https://www.exploit-db.com/exploits/37922/http://www.securitytracker.com/id/1033238https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-080https://www.exploit-db.com/exploits/37922/
2015-08-15
Published