Today, Microsoft released the MS15-078 bulletin containing a patch for yet another flaw in the Adobe Type Manager Font Driver (atmfd.dll). This patch, coming just shy of a week after Microsoft’s monthly Patch Tuesday event, fixes a kernel pool overflow vulnerability (CVE-2015-2426), which can allow remote code execution with full system rights. The vulnerability lies within the OpenType font format, when the system attempts to copy data from a zero-sized buffer. Multiple attack vectors exist but they require a bit of social engineering, such as convincing a victim to open a specially crafted font file or by convincing them to visit a malicious website containing embedded fonts. All versions of Windows are affected, but it should be noted that support (and therefore, updates) for Windows Server 2003 is no longer available, as the operating system has reached its scheduled end-of-life on July 14
th.
Additionally, the details surrounding this bulletin is not without controversy. The discovery is credited to researchers of Google’s Project Zero and FireEye, and is similar to the previous ATMFD vulnerability which was publically disclosed by Project Zero on July 8
th (
https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&sort=-id), after a seven-day deadline had expired. Both vulnerabilities were discovered via the recent Hacking Team leak and although the leak does include a proof-of-concept sample for CVE-2015-2426, one does not currently exist in the wild.
BeyondTrust has released an audit to detect this vulnerability, which will be available in audits release 2939:
47835 - Microsoft Font Driver Remote Code Execution (3079904)
