cbcvebase.
CVE-2016-7256
published 2016-11-10

CVE-2016-7256: atmfd.dll in the Windows font library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold…

PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
64.83%
99.1th percentile
atmfd.dll in the Windows font library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote attackers to execute arbitrary code via a crafted web site, aka "Open Type Font Remote Code Execution Vulnerability."

Affected

15 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

filenameatmfd.dll
registryHKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD
  • CVE-2016-7256 was actively exploited in the wild at time of patch release; prioritize detection of processes loading atmfd.dll from unexpected locations or renamed copies (e.g., x-atmfd.dll).
  • Exploitation vector is a specially crafted embedded font delivered via a malicious webpage or document file; monitor browser and Office processes for anomalous font rendering activity involving atmfd.dll.
  • In a file-sharing/phishing scenario, the exploit is delivered via a specially crafted document; monitor email attachments and document opens that trigger atmfd.dll loading.
  • Exploit status confirmed as 'Exploited:Yes' with 'Exploitation Detected' on older software releases; treat any unpatched system loading atmfd.dll as high-risk.
  • Workaround mitigation renames atmfd.dll to x-atmfd.dll; presence of x-atmfd.dll on a system may indicate the workaround was applied, while its absence on unpatched systems indicates exposure.
  • ·Disabling ATMFD.DLL via registry (DisableATMFD=1) is only available as a workaround on Windows 8 and later; earlier OS versions must rely on renaming the DLL.
  • ·Disabling ATMFD.DLL will break applications that rely on embedded OpenType font technology; assess application impact before deploying the workaround.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.