CVE-2016-7256
published 2016-11-10CVE-2016-7256: atmfd.dll in the Windows font library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold…
PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
64.83%
99.1th percentile
atmfd.dll in the Windows font library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote attackers to execute arbitrary code via a crafted web site, aka "Open Type Font Remote Code Execution Vulnerability."
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2016-7256 was actively exploited in the wild at time of patch release; prioritize detection of processes loading atmfd.dll from unexpected locations or renamed copies (e.g., x-atmfd.dll). ↗
- →Exploitation vector is a specially crafted embedded font delivered via a malicious webpage or document file; monitor browser and Office processes for anomalous font rendering activity involving atmfd.dll. ↗
- →In a file-sharing/phishing scenario, the exploit is delivered via a specially crafted document; monitor email attachments and document opens that trigger atmfd.dll loading. ↗
- →Exploit status confirmed as 'Exploited:Yes' with 'Exploitation Detected' on older software releases; treat any unpatched system loading atmfd.dll as high-risk. ↗
- →Workaround mitigation renames atmfd.dll to x-atmfd.dll; presence of x-atmfd.dll on a system may indicate the workaround was applied, while its absence on unpatched systems indicates exposure. ↗
- ·Disabling ATMFD.DLL via registry (DisableATMFD=1) is only available as a workaround on Windows 8 and later; earlier OS versions must rely on renaming the DLL. ↗
- ·Disabling ATMFD.DLL will break applications that rely on embedded OpenType font technology; assess application impact before deploying the workaround. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Open Type Font Remote Code Execution Vulnerability
cisa·2022-05-25·CVSS 8.8
CVE-2016-7256 [HIGH] CWE-284 Microsoft Windows Open Type Font Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Open Type Font Remote Code Execution Vulnerability
Affected: Microsoft Windows
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploits this vulnerability could take control of the affected system.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-7256
Remediation Due Date: 2022-06-15
Microsoft
Microsoft Graphics Remote Code Execution Vulnerability
vendor_msrc·2016-11-08·CVSS 8.8
CVE-2016-7256 [HIGH] Microsoft Graphics Remote Code Execution Vulnerability
Microsoft Graphics Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
There are multiple ways an attacker could exploit the vulnerability:
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view
GHSA
GHSA-cx4j-72f6-rmxr: atmfd
ghsa_unreviewed·2022-05-14
CVE-2016-7256 [HIGH] CWE-284 GHSA-cx4j-72f6-rmxr: atmfd
atmfd.dll in the Windows font library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote attackers to execute arbitrary code via a crafted web site, aka "Open Type Font Remote Code Execution Vulnerability."
VulnCheck
Microsoft Windows Open Type Font Remote Code Execution Vulnerability
vulncheck·2016·CVSS 8.8
CVE-2016-7256 [HIGH] CWE-284 Microsoft Windows Open Type Font Remote Code Execution Vulnerability
Microsoft Windows Open Type Font Remote Code Execution Vulnerability
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploits this vulnerability could take control of the affected system.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2016-Nov; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-15
No detection rules found.
No public exploits indexed.
Qualys
Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server | Qualys
blogs_qualys·2016-11-08·CVSS 3.1
CVE-2016-7255 [LOW] Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server | Qualys
Today Microsoft released 14 security bulletins with six critical and eight important security fixes. It patched 0-day vulnerability CVE-2016-7255 in the MS16-135 which was actively attacked and disclosed by Google in their disclosure blog a few days ago. Since it is publicly disclosed and actively exploited it should be the top priority for organizations. An OpenType font vulnerability CVE-2016-7256 was also included by Microsoft in MS16-132 as being actively exploited. This vulnerability allows attackers to take complete control if the victim views a specially crafted webpage and therefore should be considered equally critical. Last but not least, three more vulnerabilities that were disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and wer
Qualys
Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server
blogs_qualys·2016-11-08·CVSS 3.1
CVE-2016-7255 [LOW] Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server
Today Microsoft released 14 security bulletins with six critical and eight important security fixes. It patched 0-day vulnerability CVE-2016-7255 in the MS16-135 which was actively attacked and disclosed by Google in their disclosure blog a few days ago. Since it is publicly disclosed and actively exploited it should be the top priority for organizations. An OpenType font vulnerability CVE-2016-7256 was also included by Microsoft in MS16-132 as being actively exploited. This vulnerability allows attackers to take complete control if the victim views a specially crafted webpage and therefore should be considered equally critical. Last but not least, three more vulnerabilities that were disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and wer
http://www.securityfocus.com/bid/94156http://www.securitytracker.com/id/1037243https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-132https://twitter.com/da5ch0/status/820161895269277696http://www.securityfocus.com/bid/94156http://www.securitytracker.com/id/1037243https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-132https://twitter.com/da5ch0/status/820161895269277696https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-7256
2016-11-10
Published
2022-05-25
Added to CISA KEV
Exploited in the wild