CVE-2015-2461
published 2015-08-15CVE-2015-2461: ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1…
PriorityP272critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.37%
98.3th percentile
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2458 and CVE-2015-2459.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit is triggered via font loading through win32k!NtGdiAddFontResourceW — monitor kernel call stacks involving win32k!NtGdiAddFontResourceW → win32k!GreAddFontResourceWInternal → win32k!PUBLIC_PFTOBJ::bLoadFonts → ATMFD.DLL for anomalous OTF font files. ↗
- →The malicious CFF font file can be crafted with a single byte change at offset 0x375 (offset 0x71 within the 'CFF ' table) from 0x01 to 0x41 — inspect loaded OTF/CFF font files for anomalous Name INDEX offset values that exceed the bounds of the Name INDEX data block. ↗
- →The vulnerability is exploitable via the Windows Font Viewer or any application that loads fonts — no special tools required; monitor for unexpected font loading (NtGdiAddFontResourceW) from untrusted or web-sourced OTF files in csrss.exe context. ↗
- →The root cause is missing bounds checking on NAME.offset[x] in the CFF Name INDEX parser of ATMFD.DLL — the expression 'base address of the Name INDEX data + NAME.offset[x] - 1' is dereferenced without validation, enabling out-of-bounds read. ↗
- ·The crash is most reliably reproduced with Special Pools enabled for ATMFD.DLL; on default Windows installations the crash may still occur but is harder to observe immediately. ↗
- ·The patch for CVE-2015-2461 (MS15-080) may have been insufficient — an almost identical crash was reproduced nearly two years after the original fix, suggesting incomplete remediation. ↗
- ·Impact is assessed as out-of-bounds read only (remote DoS or local kernel memory disclosure), but more severe exploitation via unknown ATMFD logic cannot be fully ruled out. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jvrr-j3q9-qv8w: ATMFD
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2015-2458 [CRITICAL] CWE-20 GHSA-jvrr-j3q9-qv8w: ATMFD
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2459 and CVE-2015-2461.
GHSA
GHSA-w5xx-wqgc-vg9r: ATMFD
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2015-2461 [CRITICAL] CWE-20 GHSA-w5xx-wqgc-vg9r: ATMFD
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2458 and CVE-2015-2459.
GHSA
GHSA-244f-jjf4-gvqg: ATMFD
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2015-2459 [CRITICAL] CWE-20 GHSA-244f-jjf4-gvqg: ATMFD
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2458 and CVE-2015-2461.
No detection rules found.
Exploit-DB
Microsoft Windows Kernel - 'ATMFD.DLL' Out-of-Bounds Read due to Malformed Name INDEX in the CFF Table
exploitdb·2017-06-23
CVE-2017-8483 Microsoft Windows Kernel - 'ATMFD.DLL' Out-of-Bounds Read due to Malformed Name INDEX in the CFF Table
Microsoft Windows Kernel - 'ATMFD.DLL' Out-of-Bounds Read due to Malformed Name INDEX in the CFF Table
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1213
We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file, see below:
---
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fb69b01e, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: 8f635862, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserve
Exploit-DB
Microsoft Windows - 'ATMFD.DLL' Out-of-Bounds Read Due to Malformed Name INDEX in the CFF Table
exploitdb·2015-08-21
CVE-2015-2461 Microsoft Windows - 'ATMFD.DLL' Out-of-Bounds Read Due to Malformed Name INDEX in the CFF Table
Microsoft Windows - 'ATMFD.DLL' Out-of-Bounds Read Due to Malformed Name INDEX in the CFF Table
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=386&can=1
We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as:
---
DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fc937cdf, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: 91d75195, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)
Debugging Detail
No writeups or analysis indexed.
http://www.securityfocus.com/bid/76209http://www.securitytracker.com/id/1033238https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-080https://www.exploit-db.com/exploits/37917/http://www.securityfocus.com/bid/76209http://www.securitytracker.com/id/1033238https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-080https://www.exploit-db.com/exploits/37917/
2015-08-15
Published