CVE-2016-7256
Published: 10 November 2016
Summary
CVE-2016-7256 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2016-7256 resides in atmfd.dll in the Windows font library and affects Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold 1511 and 1607, and Windows Server 2016. It is described as an Open Type Font Remote Code Execution Vulnerability that can be triggered through specially crafted input.
Remote attackers can exploit the flaw by serving a crafted web site to a victim, achieving arbitrary code execution on the target system. The CVSS 3.1 score of 8.8 reflects network attack vector, low complexity, no required privileges, required user interaction, and high impact to confidentiality, integrity, and availability.
Microsoft security bulletin MS16-132 supplies patches that address the issue across the listed Windows versions and includes associated mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-8112
Vulnerability details
atmfd.dll in the Windows font library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows…
more
Server 2016 allows remote attackers to execute arbitrary code via a crafted web site, aka "Open Type Font Remote Code Execution Vulnerability."
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring timely application of the vendor patches supplied in MS16-132 that eliminate the atmfd.dll parsing flaw.
Enforces validation of untrusted OpenType font input before it reaches atmfd.dll, blocking the crafted data that triggers remote code execution.
Provides malicious-code detection and blocking mechanisms that can identify and stop exploitation attempts delivered via malicious web-served fonts.