What Is ATMFD.DLL?
The Adobe Type Manager Font Driver (ATMFD.DLL) is a Windows kernel-mode font rendering component responsible for processing Adobe Type 1 PostScript and OpenType fonts. The driver runs in kernel mode as part of the Windows graphics subsystem, parsing complex font file structures and generating rendered glyph bitmaps. Because ATMFD.DLL operates in kernel context, an out-of-bounds write in font parsing directly enables kernel privilege escalation.
ATMFD.DLL has a history of security vulnerabilities due to the complexity of PostScript font parsing — the driver processes attacker-controlled binary data (font files) in kernel mode, making any parsing flaw potentially critical.
Overview
CVE-2015-2387 is an out-of-bounds write privilege escalation in the Windows ATM Font Driver (ATMFD.DLL) that allows local attackers to gain elevated privileges via a crafted application. The vulnerability was patched in MS15-077 (July 14, 2015) — the same Patch Tuesday that followed the Hacking Team data breach (July 5, 2015), which exposed multiple Windows zero-days including the related ATMFD/OpenType font vulnerabilities (CVE-2015-2426 was an out-of-band emergency patch from the Hacking Team leak).
Affected Versions
| Windows | Status |
|---|---|
| Windows Vista SP2 | Vulnerable |
| Windows Server 2008 SP2 / R2 SP1 | Vulnerable |
| Windows 7 SP1 | Vulnerable |
| Windows 8 / 8.1 | Vulnerable |
| Windows Server 2012 / 2012 R2 | Vulnerable |
| Windows RT / RT 8.1 | Vulnerable |
Fixed in MS15-077 (July 2015).
Technical Details
Root Cause: Out-of-Bounds Write in ATMFD Font Parsing
CVE-2015-2387 involves an out-of-bounds write (CWE-787) in ATMFD.DLL's processing of font data. The driver allocates a kernel buffer for font metrics or glyph data, but when processing a specially crafted font — with malformed table entries or incorrect size values — writes beyond the buffer's allocated bounds into adjacent kernel memory.
This kernel heap overflow can corrupt:
- Adjacent kernel objects — including objects with function pointers or privilege tokens
- Kernel security structures — such as the access token in the EPROCESS structure that determines process privileges
A successful exploit escalates the attacking process from a standard user to SYSTEM, bypassing all user-space privilege controls.
Privilege Escalation Path
- Attacker executes a crafted application that loads a malicious font
- ATMFD.DLL processes the font in kernel mode, triggering the out-of-bounds write
- Adjacent kernel memory is corrupted — specifically targeting a security-critical structure
- Application obtains SYSTEM token / kernel code execution
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Local — requires user-mode code execution |
| Privileges Required | Low (standard user account) |
| User Interaction | None required |
| Impact | Privilege escalation to SYSTEM |
| Kernel Component | ATMFD.DLL (Adobe Type Manager Font Driver) |
Discovery
Reported to Microsoft and patched in MS15-077 as part of the July 2015 Patch Tuesday. The timing — nine days after the Hacking Team data breach — occurred during intense scrutiny of Windows font rendering components, as multiple font-related zero-days appeared in the Hacking Team data.
Exploitation Context
- Hacking Team context: The July 2015 Hacking Team breach exposed multiple Windows vulnerabilities targeting font rendering; while CVE-2015-2387 was patched on Patch Tuesday, its disclosure coincided with the emergency out-of-band patch for CVE-2015-2426 (an OpenType font RCE from the Hacking Team data), reflecting the intense focus on Windows font security in this period
- LPE exploit chain component: ATMFD.DLL privilege escalations are used as second-stage exploits in full attack chains — combined with a browser or document RCE for complete system compromise
- Targeted attacks: Kernel font driver LPE vulnerabilities require precise exploitation and are primarily used in targeted attacks by APT groups rather than mass exploitation
- CISA KEV (2022): Added March 2022
Remediation
-
Apply MS15-077 (July 2015). Any Windows system current with Windows Update after July 2015 includes this fix.
-
Disable ATMFD.DLL — for systems that cannot be patched immediately, Microsoft provided instructions to disable the ATM font driver via registry change:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD = 1Note: This disables rendering of OpenType/Type1 fonts.
-
Maintain current Windows patch levels — Microsoft has continued patching ATMFD.DLL (and eventually removed it entirely in Windows 10 2004 and later). Updated systems are protected.
-
Upgrade Windows — Windows 10 version 2004 (May 2020 Update) and later removed ATMFD.DLL from the OS entirely, eliminating this attack surface.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2015-2387 |
| Vendor / Product | Microsoft — ATM Font Driver |
| NVD Published | 2015-07-14 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-787 — Out-of-Bounds Write find similar ↗ |
| CISA KEV Added | 2022-03-03 |
| CISA KEV Deadline | 2022-03-24 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2015-07-05 | Hacking Team data breach; 400GB of internal files published; multiple zero-days exposed |
| 2015-07-14 | Microsoft Security Bulletin MS15-077 released; CVE-2015-2387 patched |
| 2015-07-14 | CVE-2015-2387 published by NVD |
| 2022-03-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-03-24 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2015-2387 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Bulletin MS15-077 — Vulnerability in ATM Font Driver Could Allow Elevation of Privilege | Vendor Advisory |