ID CVE-2015-0092 Type cve Reporter cve@mitre.org Modified 2019-05-14T19:09:00
Description
Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0090, CVE-2015-0091, and CVE-2015-0093.
{"id": "CVE-2015-0092", "bulletinFamily": "NVD", "title": "CVE-2015-0092", "description": "Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka \"Adobe Font Driver Remote Code Execution Vulnerability,\" a different vulnerability than CVE-2015-0088, CVE-2015-0090, CVE-2015-0091, and CVE-2015-0093.", "published": "2015-03-11T10:59:00", "modified": "2019-05-14T19:09:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0092", "reporter": "cve@mitre.org", "references": ["http://www.securitytracker.com/id/1031889", "http://www.securityfocus.com/bid/72906", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-021"], "cvelist": ["CVE-2015-0092"], "type": "cve", "lastseen": "2020-10-03T12:49:46", "edition": 3, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-72906"]}, {"type": "zdi", "idList": ["ZDI-15-227"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:CFED3C66FBADE8A584579DF5EE43C77B", "GOOGLEPROJECTZERO:A7C6FA01C9AD35D2B4A19AFD0239D7C8"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805052"]}, {"type": "nessus", "idList": ["SMB_NT_MS15-021.NASL"]}, {"type": "mskb", "idList": ["KB3032323"]}, {"type": "kaspersky", "idList": ["KLA10468"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14384"]}], "modified": "2020-10-03T12:49:46", "rev": 2}, "score": {"value": 8.8, "vector": "NONE", "modified": "2020-10-03T12:49:46", "rev": 2}, "vulnersScore": 8.8}, "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_8:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_rt:-", "cpe:/o:microsoft:windows_7:-"], "affectedSoftware": [{"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_rt", "name": "microsoft windows rt", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2003", "name": "microsoft windows server 2003", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8", "name": "microsoft windows 8", "operator": "eq", "version": "-"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*"], "cwe": ["CWE-94"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "vulnerable": true}], "operator": "OR"}]}}
{"symantec": [{"lastseen": "2018-03-14T22:42:16", "bulletinFamily": "software", "cvelist": ["CVE-2015-0092"], "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Avaya CallPilot 4.0 \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot 5.0.1 \n * Avaya CallPilot 5.1.0 \n * Avaya Meeting Exchange - Client Registration Server 5.0 \n * Avaya Meeting Exchange - Client Registration Server 5.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.2 \n * Avaya Meeting Exchange - Client Registration Server 5.2.1 \n * Avaya Meeting Exchange - Client Registration Server 6.0 \n * Avaya Meeting Exchange - Client Registration Server 6.2 \n * Avaya Meeting Exchange - Recording Server 5.0 \n * Avaya Meeting Exchange - Recording Server 5.0.1 \n * Avaya Meeting Exchange - Recording Server 5.2 \n * Avaya Meeting Exchange - Recording Server 5.2.1 \n * Avaya Meeting Exchange - Recording Server 6.0 \n * Avaya Meeting Exchange - Recording Server 6.2 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0.1 \n * Avaya Meeting Exchange - Streaming Server 5.2 \n * Avaya Meeting Exchange - Streaming Server 5.2.1 \n * Avaya Meeting Exchange - Streaming Server 6.0 \n * Avaya Meeting Exchange - Streaming Server 6.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0.1 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2.1 \n * Avaya Meeting Exchange - Web Conferencing Server 6.0 \n * Avaya Meeting Exchange - Web Conferencing Server 6.2 \n * Avaya Meeting Exchange - Webportal 5.0 \n * Avaya Meeting Exchange - Webportal 5.0.1 \n * Avaya Meeting Exchange - Webportal 5.2 \n * Avaya Meeting Exchange - Webportal 5.2.1 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Meeting Exchange - Webportal 6.2 \n * Avaya Messaging Application Server 5.0 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 for 32-bit Systems \n * Microsoft Windows 8 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows RT \n * Microsoft Windows Server 2003 Itanium SP2 \n * Microsoft Windows Server 2003 SP2 \n * Microsoft Windows Server 2003 x64 Edition Service Pack 2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, block access at the network perimeter to computers hosting the vulnerable operating system.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nTo limit the risk of exploits, never connect to unknown or untrusted services.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-03-10T00:00:00", "published": "2015-03-10T00:00:00", "id": "SMNTC-72906", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/72906", "type": "symantec", "title": "Microsoft Windows Adobe Font Driver CVE-2015-0092 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2020-06-22T11:40:31", "bulletinFamily": "info", "cvelist": ["CVE-2015-0092"], "edition": 3, "description": "This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of certain Type 1 fonts. By providing a crafted font, an attacker can cause a negative offset to be used when calculating a heap buffer address. This would allow an attacker to execute arbitrary code as SYSTEM.", "modified": "2015-06-22T00:00:00", "published": "2015-05-15T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-227/", "id": "ZDI-15-227", "title": "Microsoft Windows Type 1 Font callother Opcode Heap Buffer Underflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:25:08", "bulletinFamily": "info", "cvelist": ["CVE-2015-0090", "CVE-2015-0091", "CVE-2015-0092"], "description": "Posted by Mateusz Jurczyk of Google Project Zero\n\n \n\n\nThis is the final part #4 of the \u201cOne font vulnerability to rule them all\u201d blog post series. In the previous posts, we introduced the \u201cblend\u201d PostScript operator vulnerability and successfully used it to first exploit Adobe Reader, and later escape the sandbox on 32-bit builds of Windows 8.1 by repeating the attack against the kernel with a modified ROP chain and payload:\n\n** \n**\n\n 1. [One font vulnerability to rule them all #1: introducing the BLEND vulnerability](<http://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html>)\n\n 2. [One font vulnerability to rule them all #2: Adobe Reader RCE exploitation](<http://googleprojectzero.blogspot.com/2015/08/one-font-vulnerability-to-rule-them-all.html>)\n\n 3. [One font vulnerability to rule them all #3: Windows 8.1 32-bit sandbox escape exploitation](<http://googleprojectzero.blogspot.com/2015/08/one-font-vulnerability-to-rule-them-all_13.html>)\n\n** \n**\n\nToday, we will complete the proof of concept exploit by adding support for a sandbox escape working on 64-bit builds of Windows 8.1, and provide some closing thoughts regarding the Charstring vulnerability research, as well as font security in general.\n\n# Exploitation of Microsoft Windows 8.1 Update 1 (64-bit)\n\nAs previously mentioned, 64-bit Windows platforms were unaffected by the BLEND vulnerability, making it impossible to use it for a sandbox escape. However, in order to make our proof of concept fully universal and also demonstrate the impact of other issues discovered during the Charstring research, we can take advantage of one of them in the x64 scenario. The three other flaws in ATMFD.DLL potentially allowing arbitrary code execution are listed below:\n\n** \n**\n\n 1. [CVE-2015-0090](<https://code.google.com/p/google-security-research/issues/detail?id=177>) \u2013 a read/write-what-where condition via an uninitialized pointer from the kernel pools.\n\n 2. [CVE-2015-0091](<https://code.google.com/p/google-security-research/issues/detail?id=178>) \u2013 a controlled pool-based buffer overflow of a constant-sized allocation.\n\n 3. [CVE-2015-0092](<https://code.google.com/p/google-security-research/issues/detail?id=179>) \u2013 a \u2264 64 byte pool-based buffer underflow of an arbitrarily-sized allocation.\n\n \n\n\nWhile pool corruption vulnerabilities are still exploitable in the Windows kernel, they are typically rather \u201cinconvenient\u201d to use for attackers, require a lot of work and might be unreliable if the internal state of the pools is not sufficiently controlled. Exploitation of such bugs using universal methods (attacking pool metadata) was also made much more difficult by Microsoft, which introduced a number of pool exploit mitigations in Windows 7, 8 and 8.1. On the other hand, the CVE-2015-0090 issue seemed easier to use, as controlling uninitialized memory via pool spraying is more reliable and safer than corrupting the pools, and secondly, the resulting read/write-what-where primitive is much more powerful and convenient to use for the actual elevation of privileges. As a result, I decided to focus on this specific bug for the x64 sandbox escape part of the proof of concept exploit. The subsection below explains the root cause and other details of the vulnerability.\n\n \n\n\n## The Registry Object vulnerability (CVE-2015-0090)\n\n \n\n\nIn addition to the two standard methods of storing data available to Charstring programs (the operand stack and the transient array), the \u201cType 2 Charstring Format\u201d specs from 1998 (the same revision that introduced the \u201cblend\u201d operator) also defined a completely new one related to the multiple masters functionality, called the \u201cRegistry Object\u201d. While it was subsequently removed in 2000 together with all other OpenType/MM functionality, it is still supported by ATMFD.DLL.\n\n** \n**\n\nThe registry object can be referenced by two dedicated, complementary instructions called \u201cstore\u201d and \u201cload\u201d, which transfer data back and forth between the transient array and the Registry. The storage was described in the specification in the following way: \n \n\n\n \n\n\nThe Registry provides more permanent storage for a number of items that have predefined meanings. The items stored in the Registry do not persist beyond the scope of rendering a font. Registry items are selected with an index, thus:\n\n \n\n\n0 Weight Vector\n\n1 Normalized Design Vector\n\n2 User Design Vector\n\nThe result of selecting a Registry item with an index outside this list is undefined.\n\n** \n**\n\nThe absolute maximum number of elements for these items are:\n\nWeight Vector 16\n\nNormalized Design Vector 15\n\nUser Design Vector 15\n\nThe result of accessing an element of an item beyond the absolute maximum number of elements for an item is undefined. The result of accessing an element of an item beyond the actual range for a particular font is undefined.\n\n** \n**\n\nAs shown above, the document also conveniently hints where things might go wrong in the interpreter if the specified limits are not properly enforced.\n\n** \n**\n\nInternally in ATMFD, the three registry items are implemented as an array of REGISTRY_ITEM structures (I came up with the name and reverse-engineered the format), which reside in a global font state structure used by the driver to store various information regarding the overall font object:\n\n** \n**\n\nstruct REGISTRY_ITEM { \nlong size; \nvoid *data; \n} Registry[3];\n\n** \n**\n\nThe index of the registry item (0, 1 or 2) was in fact sanitized before usage with the following snippet of code: \n \n\n\n.text:000000000004A249 cmp r8d, 3\n\n.text:000000000004A24D ja loc_495FC\n\n** \n**\n\nCan you spot the bug? The code actually verifies an \u201cindex > 3\u201d condition and bails out if it is true, while in fact it should check for \u201cindex >= 3\u201d. This off-by-one error makes it possible for the Charstring to reference an illegal registry item of index 3. More technically speaking, it enables us to trigger the following \u201cmemcpy\u201d function calls with controlled data in the transient array and size of the operation, using the \u201cload\u201d and \u201cstore\u201d instructions respectively: \n \nmemcpy(Registry[3].data, transient array, controlled size); \nmemcpy(transient array, Registry[3].data, controlled size); \n \n\n\nprovided that the signed value of the Registry[3].size field is positive.\n\n** \n**\n\nAs previously mentioned, the registry array is part of an overall font state structure, which means that the out-of-bounds entry at index 3 occupies the memory of whatever object is defined directly after the array. While the exact definition of the structure is unknown due to the closed source nature of the driver, we have observed that the Registry[3] structure is in fact uninitialized during the run time of the interpreter, meaning that both the \u201csize\u201d and \u201cdata\u201d fields contain old bytes that were previously part of another pool allocation. Exploitation wise, if we were able to spray the kernel pools with controlled bytes such that Registry[3].size and Registry[3].data overlapped with our previous allocation, we would end up with arbitrary read and write capabilities in the Windows kernel.\n\n** \n**\n\nIn the Charstring, the condition can be triggered with the following sequence of instructions:\n\n/a ## -| { 3 0 0 1 store } |- \n \n\n\nwhere:\n\n** \n**\n\n * 3 is the out-of-bound registry index, the culprit of the bug,\n\n * 0 is the offset relative to the start of the registry item,\n\n * 0 is the offset relative to the start of the transient array,\n\n * 1 is the number of 32-bit words to copy,\n\n * store is the vulnerable instruction.\n\n \nKernel pool spraying in Windows for the purpose of exploiting use-after-free or use of uninitialized memory conditions is an easy task, even in the latest editions of the operating system. Tarjei Mandt performed some extensive research in this area in the context of Windows 7 [[1](<https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf>)], devising methods for controlling the state of various pool types. For \u201cSession Paged Pools\u201d, which is where the font object structure is allocated from, he proposed the usage of a [SetClassLongPtr](<https://msdn.microsoft.com/en-us/library/windows/desktop/ms633589\\(v=vs.85\\).aspx>) USER function to set the unicode name of a menu object, resulting in a kernel allocation of an arbitrary size and content: \n \n\n\nSetClassLongPtrW(hwnd, GCLP_MENUNAME, (LONG)lpBuffer);\n\n** \n**\n\nAs it turns out, the technique still works just fine in Windows 8.1 \u2013 we only have to determine the right sequence of allocations to make sure that one of them will be reused by ATMFD for the font object structure. Practical experiments have shown that triggering allocations of an increasing size between 1000 and 4000 bytes for 100 times reliably fills the uninitialized REGISTRY_ITEM structure in all tested environments:\n\n** \n**\n\nfor (UINT i = 0; i < 100; i++) { \nfor (UINT j = 500; j < 2000; j++) { \nSpraySessionPoolMemory(hwnd, \nj * 2, \n0x0101010101010101LL, \n0xFFFFFFFFDEADBEEFLL); \n} \n}\n\n** \n**\n\nWhile we believe the algorithm shown above to reliably cause Registry[3].size to reuse the value 0x0101010101010101 and Registry[3].data to reuse the value 0xFFFFFFFFDEADBEEF, if it happens not to be the case for whatever reason, then the font loading will still just cleanly fail if the incidental value of \u201csize\u201d is not positive (a condition checked by ATMFD before copying any memory), or if the value of \u201cdata\u201d is a user-mode address (due to the aggressive exception handling used by the driver, as discussed in the previous section) \u2013 an actual bugcheck can only occur upon access to an invalid kernel-mode memory. This behavior makes it potentially possible to retry the exploitation multiple times, however it shouldn\u2019t really be necessary considering the high degree of reliability provided by the pool spraying procedure.\n\n** \n**\n\nOnce the spraying completes and a font containing the above Charstring program triggering the vulnerability is loaded, we can observe the following system bugcheck, illustrating that the kernel indeed tried to write data to the address we have used in the pool spraying phase:\n\n \nPAGE_FAULT_IN_NONPAGED_AREA (50) \nInvalid system memory was referenced. This cannot be protected by try-except, \nit must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. \nArguments: \nArg1: ffffffffdeadbef2, memory referenced. \nArg2: 0000000000000001, value 0 = read operation, 1 = write operation. \nArg3: fffff96000adcc6a, If non-zero, the instruction address which referenced the bad memory address. \nArg4: 0000000000000002, (reserved)\n\n** \n**\n\nWith the read/write-what-where condition at our disposal, we now have to decide what we are going to read or write, keeping in mind our goal of subverting all existing exploit mitigations available on the attacked Windows 8.1 platform. The question is not exactly trivial to answer, as Microsoft has gone into great lengths to disable all sources of kernel address space information available to Low Integrity processes in Windows 8 and 8.1 \u2013 and we don\u2019t really want to use yet another bug to get the necessary information leak.\n\n** \n**\n\nFortunately, there are still some sources of kernel address space information that Windows doesn\u2019t block, such as information provided directly by the CPU which cannot easily be faked or protected without special capabilities (e.g. hypervisor mode). Two such sources of information are the \u201cSIDT\u201d and \u201cSGDT\u201d instructions, which return the addresses and lengths of the special \u201cInterrupt Descriptor Table\u201d and \u201cGlobal Descriptor Table\u201d processor structures residing in kernel memory. These instructions are available in both user in kernel mode by default and cannot be disabled or restricted (even from ring-0), thus providing a very convenient anti-ASLR primitive.\n\n** \n**\n\nAs the two structures are initialized at a very early stage of the system start up for CPU #0, we can expect them to have a rather \u201cregular\u201d form and/or be located at predictable locations relative to each other. As shown in Figure 1, this is indeed the case \u2013 the GDT structure of size 0x80 is directly followed by IDT of size 0x1000 (256 entries, each 16 bytes long), and since they occupy 0x1080 bytes in total, the subsequent 0xF80 bytes before the page boundary are unused.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-lypnY4_Yu8Y/X7UaCChu4AI/AAAAAAAARn0/Lzx5ibK_F5AKeWpK-euL9n-49Wi2EnBrACNcBGAsYHQ/s937/image2.png>)\n\n \n\n\nFigure 1. The relative placement of GDT and IDT structures for CPU #0 on Windows 8.1 64-bit.\n\n** \n**\n\nThere are several reasons why the structures can be especially useful from the exploitation angle. For one, IDT is full of function pointers by design:\n\n** \n**\n\n0: kd> !idt \nDumping IDT: fffff801d6acf080 \n00: fffff801d5167900 nt!KiDivideErrorFault \n01: fffff801d5167a00 nt!KiDebugTrapOrFault \n02: fffff801d5167bc0 nt!KiNmiInterrupt \n03: fffff801d5167f40 nt!KiBreakpointTrap \n04: fffff801d5168040 nt!KiOverflowTrap \n05: fffff801d5168140 nt!KiBoundFault \n[\u2026]\n\n** \n**\n\nSome of the interrupts are user-facing, i.e. they can be invoked from user-mode. These include low IDT entries being standard CPU exception handlers (not especially safe to tamper with, as other processes or the kernel might also trigger them unexpectedly), but also a handful of entries designed to be used specifically from ring-3, such as nt!KiRaiseSecurityCheckFailure (IDT 0x29), nt!KiRaiseAssertion (IDT 0x2C) or nt!KiDebugServiceTrap (IDT 0x2D). Another potential issue might be the fact that function pointers are partitioned across the IDT entry, interlaced by other flags and values, as shown in Figure 2.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-vEZriwNT7CA/X7UaJtlJM_I/AAAAAAAARn4/B7gonfqXEJwihABEziYQVxNh2ppG7s_pQCNcBGAsYHQ/s875/image3.png>)\n\nFigure 2. 64-bit IDT entry descriptors\n\n(source: Intel\u00ae 64 and IA-32 Architectures Software Developer\u2019s Manual Volume 3A: System Programming Guide, Part 1)\n\n** \n**\n\nThe pointer partitioning should not be much of a problem though, as it could be probably handled by a few arithmetic instructions in the Charstring program. Better yet, we could also just find a \u201ctrampoline\u201d gadget of the form \u201cJMP REG\u201d in the direct vicinity (same memory page) of the overwritten handler, which should then only require modifying the low 16 bits of the address and also be fully reliable against ASLR.\n\n** \n**\n\nThe other extremely interesting and useful fact about the GDT/IDT memory area are its access rights, which are set to Read/Write/Execute, as shown below in a WinDbg listing: \n \n\n\n0: kd> !pte idtr \nVA fffff801d6acf080 \n[...] PTE at FFFFF6FC00EB5678 \n[...] contains 00000000048CF163 \n[...] pfn 48cf -G-DA\u2014KWEV\n\n** \n**\n\nAs a result, we can freely store out payload in the 0xF80 unused bytes following IDT, and execute it from there! Now, all the pieces start to come together. :-)\n\n** \n**\n\nAs we are attacking a 64-bit kernel, the IDT address is likewise 64-bit. However, the 2nd stage DLL obviously runs in the 32-bit Compatibility Mode, and thus the SIDT instruction executed in such context would only provide us with 32 bits of the desired address. In order to get it in full, we must temporarily transfer to Long Mode, execute the one necessary instruction and immediately return back to Compatibility Mode. Both transfers are very simple to achieve, as they only take a single far call to code segment (cs: register) 0x33 for the 64-bit mode, and code segment 0x23 for the 32-bit mode.\n\n** \n**\n\nThe following helper C++ macros for Visual Studio were developed by ReWolf to facilitate the task [[2](<http://blog.rewolf.pl/blog/?p=102>)]:\n\n \n\n\n#define EM(a) __asm __emit (a)\n\n#define X64_Start_with_CS(_cs) { \\\n\nEM(0x6A) EM(_cs) /* push _cs */ \\\n\nEM(0xE8) EM(0) EM(0) EM(0) EM(0) /* call $+5 */ \\\n\nEM(0x83) EM(4) EM(0x24) EM(5) /* add dword [esp], 5 */ \\\n\nEM(0xCB) /* retf */ \\\n\n}\n\n#define X64_End_with_CS(_cs) { \\\n\nEM(0xE8) EM(0) EM(0) EM(0) EM(0) /* call $+5 */ \\\n\nEM(0xC7) EM(0x44) EM(0x24) EM(4) /* */ \\\n\nEM(_cs) EM(0) EM(0) EM(0) /* mov dword [rsp + 4], _cs */ \\\n\nEM(0x83) EM(4) EM(0x24) EM(0xD) /* add dword [rsp], 0xD */ \\\n\nEM(0xCB) /* retf */ \\\n\n}\n\n#define X64_Start() X64_Start_with_CS(0x33)\n\n#define X64_End() X64_End_with_CS(0x23)\n\n** \n**\n\nBy making use of them, we can now obtain the full address of IDT using the following short C++ function:\n\n** \n**\n\nULONGLONG sidt() {\n\n#pragma pack(push, 1)\n\nstruct {\n\nUSHORT limit;\n\nULONGLONG address;\n\n} idtr;\n\n#pragma pack(pop)\n\nX64_Start();\n\n__sidt(&idtr);\n\nX64_End();\n\nreturn idtr.address;\n\n}\n\n** \n**\n\nWith this, we now have all the puzzles in place, and can implement the final exploit by following the following steps in the 2nd stage DLL:\n\n** \n**\n\n 1. Make sure that the thread is running on CPU #0 using the [SetThreadAffinityMask](<https://msdn.microsoft.com/en-us/library/windows/desktop/ms686247\\(v=vs.85\\).aspx>) API.\n\n 2. Spray the Session Paged Pool with Registry[3].size set to 0x0101..., and Registry[3].data set to the IDT address.\n\n 3. Load the kernel exploit font.\n\n** \n**\n\nThe rest of the exploitation process takes places inside of the Charstring program in the font, which performs the following actions:\n\n** \n**\n\n 4. Copy the entire IDT to the transient array.\n\n 5. Adjust entry 0x29 (nt!KiRaiseSecurityCheckFailure) to an address of a \u201cJMP R11\u201d gadget residing in the same memory page, and write it back to IDT.\n\n 6. Save the modified part of IDT[0x29] at IDT+0x1100 in order to restore it later on.\n\n 7. Write the kernel-mode elevation of privileges shellcode at IDT+0x1104.\n\n** \n**\n\nThe \u201cKiRaiseSecurityCheckFailure\u201d interrupt was chosen for the irony of it \u2013 here, we\u2019re using a mechanism designed to mitigate vulnerability exploitation to compromise the operating system. :-) The steps taken by the font are illustrated in the following animation:\n\n[](<https://1.bp.blogspot.com/-gPkA2Ae8rEM/X7UafLiyu-I/AAAAAAAARoA/lLh7kRPQThooD6c6DejUJXU7FUgOBA27QCNcBGAsYHQ/s800/image1.gif>)\n\n \n\n\nOnce the Charstring program execution completes, our environment is fully set up \u2013 the only remaining steps are to trigger the execution of the kernel-mode shellcode installed in memory past the IDT and finish the job:\n\n** \n**\n\n 8. Switch to Long Mode and trigger Interrupt 0x29 with the R11 register set to IDT+0x1104 (the shellcode address).\n\n 1. The shellcode restores the original IDT[0x29] entry, elevates all \u201cAcroRd32.exe\u201d process privileges and increases the active process limit using the algorithm described in the 32-bit kernel exploitation section.\n\n 9. Unhook the KERNELBASE!CreateProcessA function.\n\n 10. Spawn calc.exe.\n\n** \n**\n\nA working exploit successfully escaping the Adobe Reader sandbox via the CVE-2015-0090 vulnerability is presented in the video below:\n\n** \n** \n\n\n \n\n\n# Final thoughts\n\nMission accomplished! We have successfully created a single, 100% reliable PDF file launching an elevated calc.exe upon opening with Adobe Reader 11.0.10 on Windows 8.1 Update 1 x86 and x64. To sum up, we have managed to bypass the following exploit mitigations along the way:\n\n** \n**\n\n * Stack cookies \u2013 thanks to the arbitrary, non-continuous stack read/write primitive provided by the BLEND vulnerability, we have never touched any stack cookies during the exploitation process.\n\n * ASLR \u2013 the exploit is based solely on addresses calculated off data reliably leaked or requested from the CPU.\n\n * DEP \u2013 all stages ran in executable memory (through ROP or otherwise).\n\n * Sandboxing \u2013 escaped by using the same (x86) or related (x64) vulnerability.\n\n * SMEP \u2013 kernel-mode payload executed in the kernel address space.\n\n** \n**\n\nWe have also maintained complete reliability along the process, as no brute-forcing or guessing was involved; instead, all stages were fully deterministic (with the small exception of kernel pool spraying in the x64 sandbox escape, which we still consider extremely reliable). \n\n** \n**\n\nPerforming the Charstring security research was an interesting exercise, as it distinctly showed that even despite the seemingly large amount of attention from the security community, font vulnerabilities are still not extinct, but rather quite the opposite (the latest example being yet another ATMFD vulnerability discovered in the Hacking Team leaked data dump). Considering the extent of font format functionality and complexity (which are still being extended in order to accommodate modern users\u2019 needs), we find it likely that fonts will be an attractive target for the foreseeable future. The impact of font vulnerabilities could still be greatly reduced in many areas, for example by removing font processing from all privileged security contexts (such as the operating system kernel). We applaud Microsoft for introducing a number of font-related mitigations in the upcoming Windows 10, such as the usage of low integrity userland font drivers.\n\n** \n**\n\nThe research also shows that certain portions of native code can still be shared between various high-profile software today, even between client applications and operating systems. Such situations may have a number of negative consequences on software security, worst of which being the scenario discussed in this post \u2013 a single vulnerability affecting a number of targets, enabling adversaries to attack many targets simultaneously or chain exploits to compromise machines with just one bug. While this is definitely not a common situation, sometimes it is worthwhile to study the history of software and file format development, as it may uncover interesting or surprising connections between pieces of software we run on our computers today, or indicate the most promising areas for research (e.g. obsolete, deprecated or forgotten file format features implemented decades ago).\n\n** \n**\n\nLastly, the BLEND vulnerability demonstrates that even in 2015, the era of high-quality mitigations and security mechanisms, one good bug providing the right set of primitives can still suffice to fully compromise a system.\n\n** \n**\n\nI hope you enjoyed the series, and stay tuned for more font-related blog posts soon! :-)\n\n# References\n\n 1. [https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf](<https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf>)\n\n 2. [http://blog.rewolf.pl/blog/?p=102](<http://blog.rewolf.pl/blog/?p=102>)\n\n \n\n", "modified": "2015-08-21T00:00:00", "published": "2015-08-21T00:00:00", "id": "GOOGLEPROJECTZERO:CFED3C66FBADE8A584579DF5EE43C77B", "href": "https://googleprojectzero.blogspot.com/2015/08/one-font-vulnerability-to-rule-them-all_21.html", "type": "googleprojectzero", "title": "\nOne font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-14T19:21:17", "bulletinFamily": "info", "cvelist": ["CVE-2015-0074", "CVE-2015-0087", "CVE-2015-0088", "CVE-2015-0089", "CVE-2015-0090", "CVE-2015-0091", "CVE-2015-0092", "CVE-2015-0093", "CVE-2015-1670", "CVE-2015-3049", "CVE-2015-3050", "CVE-2015-3051", "CVE-2015-3052", "CVE-2015-3095"], "description": "Posted by Mateusz Jurczyk of Google Project Zero\n\n \n\n\nLast month, I presented parts of my PostScript font security research at the REcon security conference in Montreal, in a talk titled \u201cOne font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation\u201d. This talk discussed the exploitation process of a vulnerability found in the implementation of a BLEND Charstring instruction, discovered in a user-mode Adobe Reader\u2019s CoolType library and a kernel-mode Adobe Type Manager Font Driver (ATMFD.DLL) used by Windows, both of which are responsible for supporting Type 1 and OpenType fonts in the Reader and system GDI environments. This research was performed as part of my Project Zero work, and more generally resulted in a multitude of vulnerabilities discovered in different modern font engines, which all share a common ancestor of the Charstring interpreter routine \u2013 ranging from low to critical severity flaws. The full breakdown of the identified security issues can be found below, with links pointing to corresponding google-security-research bug tracker entries, containing reports with detailed analysis of the vulnerabilities together with Proof of Concept files, as they were provided to the vendors:\n\n \n\n\n \n| \n\nMicrosoft Windows (ATMFD)\n\n| \n\nAdobe Reader (CoolType)\n\n| \n\nDirectWrite\n\n| \n\nWindows Presentation Foundation \n \n---|---|---|---|--- \n \nUnlimited Charstring execution\n\n| \n\n[CVE-2015-0074](<https://code.google.com/p/google-security-research/issues/detail?id=169>)\n\n| \n\n\u2013\n\n| \n\n\u2013\n\n| \n\n\u2013 \n \nOut-of-bounds reads from the Charstring stream\n\n| \n\n[CVE-2015-0087](<https://code.google.com/p/google-security-research/issues/detail?id=174>)\n\n| \n\n[CVE-2015-3095](<https://code.google.com/p/google-security-research/issues/detail?id=247>)\n\n| \n\n\u2013\n\n| \n\n\u2013 \n \nOff-by-x out-of-bounds reads/writes relative to the operand stack\n\n| \n\n[CVE-2015-0088](<https://code.google.com/p/google-security-research/issues/detail?id=175>)\n\n| \n\n\u2013\n\n| \n\n\u2013\n\n| \n\n\u2013 \n \nMemory disclosure via uninitialized transient array\n\n| \n\n[CVE-2015-0089](<https://code.google.com/p/google-security-research/issues/detail?id=176>)\n\n| \n\n[CVE-2015-3049](<https://code.google.com/p/google-security-research/issues/detail?id=248>)\n\n| \n\n[CVE-2015-1670](<https://code.google.com/p/google-security-research/issues/detail?id=259>)\n\n| \n\n[CVE-2015-1670](<https://code.google.com/p/google-security-research/issues/detail?id=277>) \n \nRead/write-what-where in LOAD and STORE operators\n\n| \n\n[CVE-2015-0090](<https://code.google.com/p/google-security-research/issues/detail?id=177>)\n\n| \n\n\u2013\n\n| \n\n\u2013\n\n| \n\n\u2013 \n \nBuffer overflow in Counter Control Hints\n\n| \n\n[CVE-2015-0091](<https://code.google.com/p/google-security-research/issues/detail?id=178>)\n\n| \n\n[CVE-2015-3050](<https://code.google.com/p/google-security-research/issues/detail?id=249>)\n\n| \n\n\u2013\n\n| \n\n\u2013 \n \nBuffer underflow due to integer overflow in STOREWV\n\n| \n\n[CVE-2015-0092](<https://code.google.com/p/google-security-research/issues/detail?id=179>)\n\n| \n\n[CVE-2015-3051](<https://code.google.com/p/google-security-research/issues/detail?id=250>)\n\n| \n\n\u2013\n\n| \n\n\u2013 \n \nUnlimited out-of-bounds stack manipulation via BLEND operator\n\n| \n\n[CVE-2015-0093](<https://code.google.com/p/google-security-research/issues/detail?id=180>)\n\n| \n\n[CVE-2015-3052](<https://code.google.com/p/google-security-research/issues/detail?id=258>)\n\n| \n\n\u2013\n\n| \n\n\u2013 \n \n** \n** \n\n\nAs shown above, most of the vulnerabilities were present in more than one font engine, running in different security contexts or privilege levels. All of them were reported to the respective vendors shortly after their discovery, and were subsequently patched by Microsoft in two security bulletins: [MS15-021](<https://technet.microsoft.com/library/security/MS15-021>) (March) and [MS15-044](<https://technet.microsoft.com/library/security/MS15-044>) (May), while Adobe issued a single [APSB15-10](<https://helpx.adobe.com/security/products/acrobat/apsb15-10.html>) bulletin in May to address all issues affecting Reader.\n\n \n\n\nSome background story on the research can be found in the [\u201cResults of my recent PostScript Charstring security research unveiled\u201d](<http://j00ru.vexillium.org/?p=2520>) blog post, and the slide deck used during my REcon presentation is linked below: \n \n\n\n[One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation](<http://j00ru.vexillium.org/dump/recon2015.pdf>) (PDF, 7.78MB)\n\n \n\n\nTo make a long story short, the one vulnerability mentioned in the title is CVE-2015-0093 (also dubbed CVE-2015-3052 by Adobe). What makes it unique is the fact that it provides an extremely powerful primitive, making it possible to perform arbitrary PostScript operations (e.g. arithmetic, logic, conditional and other) anywhere on the exploited thread\u2019s stack, with full control over what is overwritten and how. This, in turn, could be used by an attacker to craft a self-contained malicious Type 1 font which, once loaded in the vulnerable environment, reliably and deterministically builds a ROP chain in the Charstring program, consequently defeating all modern exploit mitigations techniques such as stack cookies, DEP, ASLR, SMEP and so on. It also affected both Adobe Reader and the Windows kernel (32-bit), enabling the creation of a single PDF file, which would first achieve arbitrary code execution within the PDF viewer\u2019s process, and further escape the sandbox by exploiting the very same bug in the operating system, elevating chosen process\u2019 privileges in the system and removing the associated job\u2019s restrictions.\n\n \n\n\nIn order to demonstrate that the above scenario was in fact possible, I created a Proof of Concept file which does exactly that, targeting the latest versions of the software affected by the bugs: Adobe Reader 11.0.10 and Windows 8.1 Update 1 (32-bit). Considering that 64-bit builds of Windows were not affected by the BLEND vulnerability, I also devised an x64 way to achieve reliable elevation of privileges using another Charstring vulnerability (CVE-2015-0090) found during the research, which also adheres to the \u201c100% reliability\u201d and \u201call mitigations bypassed\u201d philosophy.\n\n \n\n\nIn the upcoming series of blog posts, I will discuss the exploitation of the BLEND vulnerability in more detail, and further extend some of the thoughts mentioned in the slides, sharing my insights and providing more context to those who didn\u2019t get a chance to attend the REcon talk in person. Today\u2019s part will cover a brief introduction to digital typography and the role PostScript fonts play in it, a Type 1 / OpenType primer, a short guide to reverse engineering the program interpreter found in ATMFD.DLL, and finally a description of the security flaw in the \u201cblend\u201d operator itself. Further posts released in the upcoming weeks will subsequently provide details on the process of exploiting Adobe Reader for remote code execution, and Windows 8.1 32/64-bit for sandbox escapes on both builds of the operating system. Let\u2019s start with the beginning!\n\n# Some (pre)history\n\nThe history of digital typography is almost as old as the history of computing itself. Early personal computers seen in the very early 80\u2019s offered a minimalistic user interface, which only allowed input and output to be passed around as text \u2013 text that had to be displayed on the screen somehow. Since both hardware and software were very simple and had limited capabilities, text formatting on the display were not an utmost priority back then (more so in the printing industry) with mostly predefined, fixed-width bitmap fonts used at first. Figure 1 shows the different typefaces (implemented in the form of bitmap fonts) designed by Susan Kare and released with the original Mac OS operating system in 1984.\n\n \n\n\n\n\nFigure 1. Original typefaces shipped with Mac OS in 1984 (source: [https://en.wikipedia.org/wiki/Susan_Kare](<https://en.wikipedia.org/wiki/Susan_Kare>))\n\n \n\n\nA number of bitmap font formats were designed in the 80\u2019s, with some of them still supported by software nowadays, such as Portable Compiled Format (PCF, supported by FreeType), Glyph Bitmap Distribution Format (BDF, supported by FreeType) or Microsoft Windows Bitmapped Font (FON, supported by FreeType and Windows GDI). \n\n \n\n\nAlso in 1984, Adobe introduced two outline font formats based on the PostScript language, itself created two years before: Type 1 fonts, which could use a specific subset of the PostScript specification, and Type 3 fonts, which could make use of all of the language\u2019s features. This was a huge leap forward, as these fonts would specify the glyph shapes instead of their bitmap representation at a specific point size, making them more extensible, adjustable and universal. These formats were originally proprietary and licensed to Adobe partners; they were only publicly documented in 1990, following Apple\u2019s work on an independent format, TrueType. As security researchers looking into PostScript fonts, we should be interested primarily in the Type 1 format (not Type 3), which is the one supported by popular software on desktop computers. The two most important documents are:\n\n \n\n\n * [Adobe Type 1 Font Format, Addison-Wesley Publishing Company, Inc., Third printing, February 1993, Version 1.1](<https://partners.adobe.com/public/developer/en/font/T1_SPEC.PDF>)\n\n * [Type 1 Font Format Supplement, Technical Specification #5015, Adobe Systems Incorporated, 15 May 1994](<https://partners.adobe.com/public/developer/en/font/5015.Type1_Supp.pdf>)\n\n \n\n\nA year later in 1991, Adobe released an extension to the Type 1 font format, called [Multiple Master fonts](<https://en.wikipedia.org/wiki/Multiple_master_fonts>), which enabled specifying two or more masters (font styles: weight, width, optical size, style) and interpolating between them along a continuous range of \u201caxes\u201d, as shown in Figure 2. From a technical perspective, the extension was implemented by introducing several new Dictionary fields in the Type 1 header, together with several new Charstring instructions. The details of the technology can be found in the \u201cType 1 Font Format Supplement\u201d linked above. The interesting bit about it is that while it is officially part of the specification and is therefore supported by many modern font engines, it was never commonly adopted worldwide, with just a handful of Multiple Master fonts ever coming to existence, mostly created by Adobe itself. This is something to keep in mind as old, sparse, unknown features of common file formats are often great vulnerability hunting targets. More information about the development of Multiple Master typefaces in Adobe can be found in the \u201cThe Adobe Originals Silver Anniversary Story: How the Originals endured in an ever-changing industry\u201d article [[1](<http://blog.typekit.com/2014/07/30/the-adobe-originals-silver-anniversary-story-how-the-originals-endured-in-an-ever-changing-industry/>)], but we actually recommend the entire \u201cCelebrating 25 Years of Adobe Originals\u201d series [[2](<http://blog.typekit.com/25-years-of-adobe-originals/>)] for anyone curious about the history of digital typography and Adobe\u2019s role in it.\n\n \n\n\n\n\nFigure 2. Examples of design axes and dynamic ranges in multiple master typefaces (source: [http://blog.typekit.com/2014/07/30/the-adobe-originals-silver-anniversary-story-how-the-originals-endured-in-an-ever-changing-industry/](<http://blog.typekit.com/2014/07/30/the-adobe-originals-silver-anniversary-story-how-the-originals-endured-in-an-ever-changing-industry/>))\n\n \n\n\nIn the same year of 1991, Apple designed a completely new outline font format called [TrueType](<https://en.wikipedia.org/wiki/TrueType>) as a competitor to Type 1. It was based on the SFNT general file structure (a short header and a number of data sections described by four-byte tag, offset, length and checksum), represented glyph outlines using quadratic b\u00e9zier curves, and defined a dedicated turing-complete hinting programming language. The format was first supported in Mac OS System 7 released in May 1991, but Apple also licensed it to Microsoft for free in order to ensure wide adoption. As a result, TTF support was introduced in Windows 3.1 released in 1992. It is largely the same code that rasterizes TTF fonts in the most recent versions of Windows today.\n\n \n\n\nThree years later, Apple extended TrueType with the launch of [TrueType GX](<https://en.wikipedia.org/wiki/QuickDraw_GX#TrueType_GX>), which introduced new, advanced features such as morphing (similar to Adobe\u2019s Multiple Masters) or Line Layout Manager. Microsoft failed to license the format from Apple [[3](<https://en.wikipedia.org/wiki/OpenType#History>)] and started working on a new one, originally called TrueType Open. Adobe would later join Microsoft in these efforts in order to create technology which would supersede both TrueType and Type 1, eventually named OpenType. While OpenType shares the same overall SFNT structure as TrueType, it uses a different set of tables. Furthermore, it can specify glyph outlines in either the old TrueType format (\u201cglyf\u201d table) or a new one called \u201cCompact Font Format\u201d (CFF), which is essentially an extended and binary-encoded equivalent of Type 1. As the most common flavor nowadays, the term \"OpenType font\" is often used for short of OpenType/CFF.\n\n \n\n\nBasic support for OpenType was implemented in [Adobe Type Manager](<https://en.wikipedia.org/wiki/Adobe_Type_Manager>) in the early years of the format\u2019s development, but in order to have the fonts working in the Windows environment, the program had to be installed separately in Windows 3.0, 3.1, 95, 98, Me and NT. Microsoft then added official support for external font drivers in the operating system, and worked with Adobe to include an Adobe Type Manager Font Driver (ATMFD.DLL) module in default installations starting with Windows 2000. The driver has remained in all further editions of the OS, up to and including Windows 8.1. In the meanwhile, Adobe used the same code to handle OpenType fonts in some of their other products, such as Adobe Reader (the CoolType library), and other projects and vendors followed by also implementing support for the format, too. Overall, OpenType was widely recognized and is now one of two most commonly used font formats together with TrueType.\n\n# More recent times\n\nSince late 90's, no groundbreaking revolution has taken place in the form of new font formats. Instead, the existing standards for TrueType and OpenType have been evolving, going through a number of official specification revisions and unofficial extensions implemented by various vendors, often with little to no collaboration with other major actors. For example, Apple introduced SFNT tables enabling more advanced font features supported by AAT (Apple Advanced Typography), Microsoft introduced new math tables supported by Office, Windows 8 (RichEdit 8.0) and Gecko, Mozilla and Adobe proposed adding full SVG support to OpenType and so forth. As a result, security researchers nowadays would be mostly interested in four font formats: FON bitmap fonts as still supported by Microsoft Windows and FreeType, Type 1 PostScript fonts supported by Microsoft Windows, Adobe Reader, FreeType and Oracle Java, as well as TrueType and OpenType fonts (with their various vendor-specific extensions) supported by pretty much every modern font engine. The three most exposed pieces of software would be the FreeType open-source library used by a majority of UNIX-based software (GNU/Linux, iOS, Android, Chrome OS etc.), and Windows GDI / DirectWrite, which are used by most desktop applications running on Windows for font rasterization (e.g. Internet Explorer, Google Chrome, Mozilla Firefox, Microsoft Office etc.).\n\n \n\n\nAs it turns out, the above historical background is quite important in the context of today's software security. Considering the extensive collaboration between vendors decades ago, a great number of modern widely used programs and systems share a common ancestor of their font rasterization code. For example, most TTF engines are based on Microsoft's original implementation of the format, including Windows GDI (win32k.sys), Microsoft GDI+, Microsoft DirectWrite, Adobe Reader and Adobe Flash. Likewise, most OTF engines are based on Adobe's original implementation, including Microsoft GDI (ATMFD.DLL), Microsoft DirectWrite, Microsoft Presentation Foundation and Adobe Reader. As a direct outcome, any bugs present in the original implementation that was later branched and included in multiple products were likely propagated, and may affect various programs or operating systems. This is of course an extremely frightful scenario, with a single 0-day vulnerability potentially being used in targeted or mass campaigns against users of different software, or chained to accomplish both remote code execution and a sandbox escape, leading to complete system compromise. Consequently, I believe that due to the high sensitivity of the code area, it deserves special attention from the security community.\n\n \n\n\n\n\nFigure 3. Potential security impact of vulnerabilities present in the shared PostScript font implementation.\n\n \n\n\nIt is important to note that while the same pieces of code can be found in a variety of modern programs and environments, they have been living in different branches and maintained by different groups of people for many years now. They have very likely received a varied degree of auditing and fuzzing (being more or less valuable targets), which means that they don\u2019t have to be affected by the exact same set of bugs today. On one hand, this can be considered good news, since a bug in one of the products won\u2019t necessarily affect all the other ones, limiting the impact. On the other hand, security relevant differences in the codebases can reveal issues in the unpatched software through missing sanity checks and similar patterns easy to recognize by reverse engineers using binary diffing tools.\n\n \n\n\nWhat makes font engines even more sensitive and susceptible to attacks is the fact that the attackers can choose from any of the existing file formats, most of which are extremely complex both structurally and semantically, making it very difficult to get them 100% right in implementation. If we also consider that a majority of the parsers were in a large part developed in C/C++ several decades ago, that they are easily reachable via numerous channels (websites, documents, USB sticks etc.), and that they support extensive, turing-complete virtual machine environments for running untrusted TTF/PostScript Charstring programs, it becomes clear that fonts are one of the best imaginable attack vectors. This is true even despite the great number of vulnerabilities that have already been fixed in virtually every font engine in existence, conference talks given in the past (nearly every major one having a font-related presentation in agenda), and font vulnerabilities being used both \u201cin the wild\u201d (e.g. the Duqu TTF exploit [[4](<https://cansecwest.com/slides/2013/Analysis%20of%20a%20Windows%20Kernel%20Vuln.pdf>)], or comex\u2019 iOS jailbreak via a FreeType Type 1 vulnerability [[5](<http://esec-lab.sogeti.com/posts/2011/07/16/analysis-of-the-jailbreakme-v3-font-exploit.html>)]) and in various hacking competitions such as pwn2own 2013 (Joshua Drake\u2019s Java 7 SE OpenType memory corruption vulnerability [[6](<http://files.accuvant.com/web/file/4a2a88cc7dec477096b88e19eba57969/White%20Paper-%20pwn2own_2013__java_7_se_memory_corruption.pdf>)]), or pwn2own 2015 (K33n Team\u2019s TTF vulnerability [[7](<http://www.slideshare.net/PeterHlavaty/windows-kernel-exploitation-this-time-font-hunt-you-down-in-4-bytes>)]).\n\n \n\n\nBefore we dive into discussing the Charstring related vulnerabilities discovered in Type 1 / OpenType handling implemented in ATMFD.DLL and related font engines, let\u2019s briefly go through the format and structure of the two PostScript formats.\n\n# Type 1 font primer\n\nIn essence, Type 1 fonts are a set of so-called \u201cdictionaries\u201d (associative name \u2192 value arrays with field-specific primitive types or other nested dictionaries) responsible for specifying the general font properties, and PostScript programs called \u201cCharstrings\u201d describing the shapes of all glyphs supported by the font. An overview of the general font structure is shown in Figure 4.\n\n \n\n\n\n\nFigure 4. Typical dictionary structure of a Type 1 font (source: Adobe Type 1 Font Format, Adobe Systems Inc.)\n\n \n\n\nThere are a number of file formats related to Type 1 fonts:\n\n \n\n\n * .AFM (Adobe Font Metrics), .ACFM (Adobe Composite Font Metrics), .AMFM (Adobe Multiple Font Metrics) \u2013 textual metrics files.\n\n * .PFA (Printer Font ASCII) \u2013 textual representation of the core font file.\n\n * .PFB (Printer Font Binary) \u2013 binary representation of the core font file. \n\n * .PFM (Printer Font Metric) \u2013 binary representation of the font metrics.\n\n * .MMM (Multiple Master Metric) \u2013 binary representation of Multiple Master font metrics.\n\n \n\n\nDepending on the environment, various subsets of the above files are necessary to use the font, with .PFB (the main, partially binary encoded font file) and .PFM (binary encoded font metrics) being the most common ones. For example, the [AddFontResource](<https://msdn.microsoft.com/en-us/library/windows/desktop/dd183326%28v=vs.85%29.aspx>) Windows API function requires paths to the .PFB and .PFM files separated by a pipe character, with the potential addition of an .MMM file if the font supports multiple masters.\n\n \n\n\nExamining and modifying .PFB files (and especially the Charstrings contained within) is inconvenient due to two major reasons: binary encoding and encryption. As it turns out, Adobe introduced a simple encryption scheme in Type 1 fonts in order to prevent casual inspection by third parties. The full details of the algorithm used to \u201cprotect\u201d (or obfuscate, rather) the Private dictionary and Charstrings were only documented when the Type 1 format specification came to light in the 90\u2019s. The encryption routine is shown below, with decryption achieved using the same function with minor changes:\n\n \n\n\nunsigned short int r;\n\nunsigned short int c1 = 52845;\n\nunsigned short int c2 = 22719;\n\nunsigned char Encrypt(plain) unsigned char plain;\n\n{unsigned char cipher;\n\ncipher = (plain ^ (r>>8));\n\nr = (cipher + r) * c1 + c2;\n\nreturn cipher;\n\n}\n\n(source: Adobe Type 1 Font Format, Adobe Systems Inc.)\n\n \n\n\nIn order to work around the encryption and Charstring encoding, we can conveniently use the type1 and detype1 utilities as part of the [Adobe Font Development Kit for OpenType (AFDKO)](<http://www.adobe.com/devnet/opentype/afdko.html>) (open source code available on [GitHub](<https://github.com/adobe-type-tools/afdko>)), which can convert between .PFB and .PFA (textual, human readable) font files: \n \n$ detype1 font.pfb > font.pfa \n$ type1 font.pfa > font.pfb\n\n \n\n\nAt this point, we can freely work with Type 1 fonts, analyzing and modifying them as needed. If we take a quick look into any .PFA file, we will see a number of PostScript programs of the following form:\n\n \n\n\n/at ## -| { 36 800 hsbw -15 100 hstem 154 108 hstem 466 108 hstem 666 100 hstem 445 85 vstem 155 120 vstem 641 88 vstem 0 100 vstem 275 353 rmoveto 54 41 59 57 vhcurveto 49 0 30 -39 -7 -57 rrcurveto -6 -49 -26 -59 -62 0 rrcurveto -49 -27 43 48 hvcurveto closepath 312 212 rmoveto -95 hlineto -10 -52 rlineto -30 42 -42 19 -51 0 rrcurveto -124 -80 -116 -121 hvcurveto -101 80 -82 88 vhcurveto 60 0 42 28 26 29 rrcurveto 33 4 callsubr 8 -31 26 -25 28 -1 rrcurveto 48 -2 58 26 48 63 rrcurveto 40 52 22 75 0 82 rrcurveto 0 94 -44 77 -68 59 rrcurveto -66 59 -81 27 -88 0 rrcurveto -213 -169 -168 -223 hvcurveto -225 173 -165 215 vhcurveto 107 0 92 31 70 36 rrcurveto -82 65 rlineto -32 -20 -64 -12 -83 0 rrcurveto -171 -125 108 182 hvcurveto 172 111 119 168 vhcurveto 153 0 118 -84 -9 -166 rrcurveto -5 -86 -51 -81 -36 -4 rrcurveto -29 -3 12 43 5 24 rrcurveto closepath endchar } |-\n\n \n\n\nAs clearly visible, the instruction stream consists of various outline-related instructions interlaced with immediate numbers (operands). To better understand how the program execution works, let\u2019s discuss the various components of the execution environment:\n\n \n\n\n * Instruction stream \\- the stream of encoded instructions used to fetch operators and execute them. Not accessible by the Type 1 program itself.\n\n * Operand stack \\- a LIFO structure holding up to 24 numeric (32-bit) entries. Similarly to regular PostScript, it is used to store instruction operands. It\u2019s important to note that while the maximum width of each entry is 32 bits, different instructions may interpret them in a variety of ways, e.g. as 16.16 fixed points, 16-bit values (discarding part of the information) etc.\n\n * Transient array or BuildCharArray \\- a fully accessible array of 32-bit numeric entries; can be pre-initialized by specifying a /BuildCharArray array in the Private dictionary, and the size can be controlled via a /lenBuildCharArray entry of type \u201cnumber\u201d.\n\n \n\n\nMost instructions are encoded with a single byte, with the exception of some immediate numbers and the \u201cescape\u201d instructions. The entirety of operators can be divided into six groups depending on their functions:\n\n \n\n\nByte range 0 - 31:\n\n 1. Commands for starting and finishing a character\u2019s outline,\n\n 2. Path construction commands,\n\n 3. Hint commands,\n\n 4. Arithmetic commands,\n\n 5. Subroutine commands.\n\nByte range 32 - 255:\n\n 6. Immediate values pushed on the operand stack, encoded with a varying number of bytes depending on the size of the number.\n\n \n\n\nAll instructions documented in the latest version of the Type 1 format specification are shown in Figure 5.\n\n \n\n\n\n\nFigure 5. Currently documented Charstring commands (source: Adobe Type 1 Font Format, Adobe Systems Inc.)\n\n \n\n\nWhile the current list of Type 1 instructions seems rather short, it is important to remember that the PostScript font formats have been evolving over decades, going through a number of iterations which introduced and removed various operators along the way. As a result, font engines which are supposed to maintain backwards compatibility with most/all fonts ever created likely support instructions that are not on the above list (but may still be interesting from a security point of view). In this context, old revisions of said specifications may be a very valuable source of information.\n\n \n\n\nThe Type 1 font specification discusses a number of interesting mechanisms used by the format (such as subroutines or so-called \u201cothersubrs\u201d), but since they are not necessary to understand or exploit the BLEND vulnerability covered in this post, we will not explain them here. If you\u2019re interested in font internals or other vulnerabilities discovered during my Charstring security research, we encourage you to study the full specification.\n\n# OpenType font primer\n\nThe following two documents should work as solid foundation for any OpenType/CFF related research:\n\n \n\n\n * [The Compact Font Format Specification, Technical Note #5176, Version 1.0, Adobe Systems Incorporated, 4 December 2003](<https://partners.adobe.com/public/developer/en/font/5176.CFF.pdf>)\n\n * [The Type 2 Charstring Format, Technical Note #5177, Adobe Systems Incorporated, 16 March 2000](<https://partners.adobe.com/public/developer/en/font/5177.Type2.pdf>)\n\n \n\n\nSince OpenType is a fully binary format, it\u2019s similarly inconvenient to inspect or modify manually. In this case, you can use the ttx.py tool (part of the [Fonttools suite](<https://github.com/behdad/fonttools/>)) to convert TrueType and OpenType fonts to a human-readable XML form and back. The fact that it supports a majority of modern SFNT tables and TrueType/PostScript programs makes it a very useful tool.\n\n \n\n\nOverall, the OpenType/CFF format is largely similar to Type 1. There are only a handful of major differences:\n\n * the font is always contained within a single file (.OTF) instead of two or more.\n\n * previously textual data (such as some of the Dictionaries) is now encoded in binary form in order to reduce memory/disk consumption.\n\n * the Charstring specification was greatly extended, introducing many new instructions and deprecating some older ones.\n\n \n\n\nA full listing of Type 2 Charstring operators defined in the latest revision of the specification is shown in Figure 6.\n\n \n\n\n\n\nFigure 6. All currently documented Type 2 Charstring operators (source: The Type 2 Charstring Format, Adobe Systems Inc.)\n\n \n\n\nA careful reader will notice that the encodings of Type 1 and Type 2 Charstring instructions are binary compatible: the now-unused Type 1 operators are always marked as \u201c-Reserved-\u201d and never reused in Type 2, while all new commands use previously vacant opcodes (either in the main or \u201cescape\u201d namespace). This makes it possible to create a PostScript program containing instructions from both Type 1 and Type 2 specs, which might have been intentional, so that Type 1 and OpenType/CFF fonts could be converted to each other without information loss. However, this behavior might also have some interesting security implications \u2013 something to keep in mind for the future.\n\n \n\n\nIf we look closely at the list above, we can see that a number of seemingly interesting instructions were added:\n\n \n\n\n * with new global and local type subroutines in OpenType, a callgsubr instruction was introduced,\n\n * hinting-related instructions (hstemhm, hintmask, cntrmask, ...),\n\n * arithmetic and logic instructions (and, or, not, abs, add, sub, neg, ...),\n\n * miscellaneous instructions (random),\n\n * instructions operating on the transient array (get, put).\n\n \n\n\nOn the other hand, the \u201cOtherSubrs\u201d functionality was dropped and the callothersubr instruction removed. The execution environment didn\u2019t fundamentally change as compared to Type 1 \u2013 it still consists of an instruction stream, operand stack (extended from 24 to 48 entries) and a transient array (converted to a fixed-size array of 32 items).\n\n \n\n\nOne other interesting part of the CFF specification is a table defining the various limits of data structures used to implement CFF font support (Figure 7). It is a great starting point for auditing any implementation of the format, as it explicitly indicates the places where things can go wrong due to some of these limits not being properly enforced.\n\n \n\n\nFigure 7. Implementation limits of Type 2 Charstring interpreters (source: The Type 2 Charstring Format, Adobe Systems Inc.)\n\n \n\n\nArmed with some general knowledge of the Type 1 / OpenType formats and the Charstring execution environment, let\u2019s dive into the Adobe Type Manager Font Driver, which is one of the most complete implementations among PostScript font engines, and is still used in the Windows kernel to rasterize fonts in the operating system.\n\n# Adobe Type Manager Font Driver\n\nThe ATMFD.DLL library is a third-party Windows kernel module provided by Adobe, which handles all Type 1 and OpenType fonts loaded via the GDI interface. It is based on Adobe Type Manager, a family of programs developed by Adobe alongside the PostScript font specification, used to manage fonts, rasterize them on computer monitors and print text on non-PostScript printers. ATM was available for Windows starting with Windows 3.0 as an optional component, and was first shipped by default in Windows 2000. For the last 15 years, the module has always been there, supporting PostScript fonts in the Windows environment.\n\n \n\n\nIn order to make use of ATMFD.DLL, Microsoft introduced a universal interface for installing external font drivers through the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Font Drivers registry key. To our current knowledge, the only value residing there in any default Windows installation is \"Adobe Type Manager\"=\"atmfd.dll\", and we are not aware of any other third-party font drivers in existence. However, it should be theoretically possible to develop and plug a custom driver supporting any font format we would wish.\n\n \n\n\nWhen one starts looking into the internals of ATMFD, one thing becomes immediately clear \u2013 as opposed to a majority of Windows libraries, this one doesn\u2019t have debug symbols available from the Microsoft symbol server. This makes it considerably more difficult to do any reverse-engineering from the start, and might also be one of the reasons why the TrueType font handling implemented in win32k.sys (Microsoft\u2019s component) is arguably more thoroughly audited. In order to (partly) work around the problem, we can make use of the fact that function symbols are available for the OpenType implementations found in DirectWrite (DWrite.dll) and Windows Presentation Foundation (PresentationCFFRasterizerNative_v0300.dll). By cross-diffing either of these modules with ATMFD.DLL, it is possible to recover the names of some functions, which might subsequently help with further analysis.\n\n \n\n\nQuite interestingly, there is also another approach to the problem of missing symbols. As Halvar Flake noticed, some ancient builds of Adobe Reader (the ones we know about are Reader 4 for AIX and Reader 5 for Windows) shipped with debug symbols, including the CoolType.dll font processing library. As the code has not fundamentally changed since then, it is also possible to use the old CoolType as a source of symbols which can be matched with modern ATMFD.DLL code; or better yet, all three pieces of software sharing the same common ancestor as ATMFD (DirectWrite, WPF, CoolType) could be used together to get the most complete picture of the reverse engineered module.\n\n \n\n\nThere are also other sorts of information included in the Adobe Type Manager which can help us find our way in the assembly \u2013 the font driver is full of debug messages which contain a variety of information, like local/global variable names, function names, expressions used in the code and source file paths. Additionally, we can also find a number of string literals related to Type 1 fonts (e.g. names of dictionary fields) which reveal the locations of functions dealing with those entries through their cross-references in the DLL. Examples of such useful strings are shown below: \n\n\n \n\n\n\n\n \n\n\n... and many others. All this information makes it relatively easy to spot the target we are after in this research - the Charstring processing routine - as it directly references many such Charstring related debug strings: \n\n\n \n\n\n\n\n \n\n\nIncidentally, the function is also by far the largest one in the DLL file, with a size of more than 20kB, while the second largest routine is \u201conly\u201d 4kB long. The magnitude and complexity of the function is best illustrated by a control flow graph, as presented in Figure 8. In order to display the graph, the maximum number of nodes in IDA had to be increased from the default value of 1000.\n\n \n\n\n\n\nFigure 8. Control flow graph representation of the Charstring processing function found in ATMFD.DLL.\n\n \n\n\nWe can further confirm that this is in fact the desired function by using the methods discussed above to acquire its name from one of the libraries with available symbols. If we look into DirectWrite or Windows Presentation Foundation, we will learn that the caller of the function is named \u201cType1InterpretCharString\u201d; in CoolType, the function itself is called \u201cDoType1InterpretCharString\u201d, affirming that this in fact the piece of code we want to look into.\n\n \n\n\nAs indicated by the shape and structure of the above graph, we can deduce that the routine most likely consists of a giant switch/case construct, handling each of the various supported PostScript operators accordingly. A deeper analysis of the function shows that this is in fact the case \u2013 during each iteration of the execution loop, the function fetches the next command opcode and enters a corresponding block of code: \n \nBYTE op = *charstring++; \nswitch (op) { \ncase HSTEM: \n... \ncase VSTEM: \n... \ncase VMOVETO: \n... \n. \n. \n. \n}\n\n \n\n\nHowever, this construct alone doesn\u2019t justify the size of the function. In part, it is caused by the fact that it is a universal interpreter used for both Type 1 and Type 2 Charstrings, which are binary compatible formats as mentioned above. This already bodes well for an attacker, as it enables Type 1 Charstrings to make use of all Type 2 (OpenType/CFF) features and vice versa \u2013 for example, if there was a vulnerability in a Type 1 specific operator (unrelated to the general structure of Type 1 fonts), an exploit for the vulnerability could also be delivered via an OpenType file, which might sometimes be more convenient for an attacker (.OTF being the more widespread and generally trusted file format). \n\n \n\n\nFurther inspection also shows the real reason for the bloated interpreter \u2013 it implements every single feature that has ever been part of the Type 1 or Type 2 specifications, including the strictly experimental ones or those officially deprecated many years ago. As the formats have been evolving for decades, the currently officially supported Charstring commands are only a small subset of the entirety of the operators that have ever seen daylight. While presumably done to maintain compatibility with all fonts in existence (including ones created many years ago), this situation is also favorable to a vulnerability hunter, since:\n\n \n\n\n 1. it significantly increases the attack surface open for analysis and exploitation,\n\n 2. the implementations of legacy or deprecated features that have not been heard of for a long time are frequently affected by security vulnerabilities, as other developers or researchers might have not been aware of the \u201chidden\u201d functionality, which may thus have remained untested for many years.\n\n \n\n\nThe last noteworthy discovery I made while delving into the interpreter was that the PostScript operand stack (with a maximum of 48 32-bit elements) was implemented in the form of a local array on the interpreter\u2019s function stack, and called \u201cop_stk\u201d according to various debug messages referring to it. The current position on the stack was indicated by a local pointer called \u201cop_sp\u201d, which would be originally set to &op_stk[0], and then incremented or decremented depending on the executed PostScript commands. While this isn\u2019t a bug or bad behavior in itself, it makes it easy for the developer to slip, as somewhat advanced pointer arithmetic needs to be employed to correctly performs all bounds checks affecting the value of \u201cop_sp\u201d \u2013 and if one of such checks is missing or faulty, the consequences of having an out-of-bounds operand stack pointer pointing somewhere on the local thread\u2019s stack while executing subsequent Charstring instructions might have catastrophic consequences for the security of the affected software. However, let\u2019s not jump the gun. :-)\n\n \n\n\nAll of the above kept my hopes high for some interesting discoveries \u2013 and, as shown at the top of the post, I didn\u2019t end up disappointed. In the following section, I will discuss my most impactful finding, the BLEND vulnerability, which provided a primitive allowing for a complete and fully reliable bypass of all currently available software exploit mitigations, and affected both Adobe Reader and the Windows Kernel (ATMFD.DLL) at the same time. Read on.\n\n# The BLEND vulnerability (CVE-2015-0093, CVE-2015-3052)\n\nIn order to understand the vulnerability being the main subject of the post, we first have to get a grasp on the functionality it was discovered in \u2013 the \u201cblend\u201d PostScript operator. It is strongly related to the forgotten Multiple Masters font extension, and was originally introduced in the \u201cThe Type 2 Charstring Format\u201d document on 5 May 1998. It was the time when \u201cMultiple Masters\u201d - originally an extension of Type 1 PostScript fonts - was also considered as an addition to the new OpenType/CFF format, resulting in a number of MM-related operators added to the 1998 revision of the Charstring specification (together with new fields introduced into the CFF format). However, since the idea of OpenType/MM was not widely adopted (with just a few such fonts ever coming into existence, none of the publicly used), all references to Multiple Masters were soon removed from the document on 16 March 2000, as shown in the excerpt in Figure 9.\n\n \n\n\n\n\nFigure 9. An excerpt from the change log of the \u201cThe Type 2 Charstring Format\u201d document from 16 March 2000.\n\n \n\n\nLess than two years of the feature\u2019s existence already warranted it a place in the Charstring interpreter found in the Windows kernel and Adobe Reader.\n\n \n\n\nThe details of the operation performed by the instruction are explained in the Type 2 Charstring specs from 1998. From a security perspective, the outcome of executing a \u201cblend\u201d operator boils down to the following actions:\n\n \n\n\n * Loading a signed 16-bit integer value from the operand stack (let\u2019s call it n).\n\n * Loading k*n further elements from the stack, where k is the number of the font\u2019s master designs (2-16, controlled via the length of the /WeightVector Type 1 table).\n\n * Pushing n values back to the operand stack.\n\n \n\n\nIn other words, the instruction \u201cblends\u201d k*n values into n numbers on the PostScript stack, with k being a controlled small number and n being an arbitrary 15-bit number with sign. With such complex functionality, involving shifting the stack pointer in various directions based on the result of an arithmetic operation where factors are user-controlled, a number of things can obviously go wrong. The authors of the code were definitely aware of this too, as they included a number of sanity checks executed prior to performing any actual operations on the operand stack:\n\n 1. Is the stack pointer within the bounds of the operand stack? \nop_sp >= op_stk && op_sp <= &op_stk_end \n\n\n 2. Is there at least one item on the operand stack (the n value)? \nop_sp >= &op_sp[1] \n\n\n 3. Are there at least k*n items on the operand stack to load? \n&op_stk[n * master_designs] <= op_sp \n\n\n 4. Is there enough space left on the stack to push the output parameters? \nmaster_designs != 0 || &op_sp[n] < &op_stk_end\n\n \n\n\nThe checks were also made easier to understand thanks to a number of debug messages referenced in the code:\n\n\"stack underflow in cmdBLEND\",\n\n\"stack overflow in cmdBLEND\"\n\n\"DoBlend would underflow operand stack\", \"op_stk + inst->lenWeightVector*nArgs <= op_sp\"\n\n \n\n\nWhile the developers went to some great lengths to make sure that the operation would be safe, they missed one corner case: a negative value of n, which is the culprit of the vulnerability. In such case, the control flow reaches a \u201cDoBlend\u201d function, which is where the actual blending operation is performed. If we disregard the specific values loaded from and pushed to the stack, then the only thing the routine does is perform the following operation on the operand stack pointer: \n\n\nop_sp -= n * (master_designs - 1) * 4\n\n \n\n\nwhich is a different way of expressing the popping of k*n values, and pushing n values back. In fact, the \u201cDoBlend\u201d function is fortunately constructed such that for a negative n, no actual popping/pushing takes place, avoiding unnecessary corruption of the stack data; however, the \u201cop_sp\u201d pointer is still adjusted accordingly to the formula above. This means that with a controlled 16-bit n, we can increase the stack pointer arbitrarily beyond the \u201cop_stk\u201d array. Since having \u201cop_sp\u201d always point to inside of \u201cop_stk\u201d is one of the fundamental assumptions made by the interpreter code, it is also a security boundary which can be crossed with a sufficiently small negative n number.\n\n \n\n\nIt should be noted that while the \u201cblend\u201d operator was documented as part of the Type 2 Charstring specs (used in OpenType files), nowadays it is only functional in the context of Type 1 fonts. This is due to the fact that the number of master designs (referred to as the k factor) can only be controlled via the length of the /WeightVector array in the Top DICT of Type 1 fonts, as the corresponding CFF entries are no longer supported by ATMFD. Hence, the vulnerability is limited to Type 1 fonts only.\n\n \n\n\nIt turns out that the rest of the code continues to work in the attacker\u2019s favor. Once we execute the \u201cblend\u201d instruction which increases \u201cop_sp\u201d beyond the end of \u201cop_stk\u201d, another iteration of the interpreter loop takes place, which starts with the following lines of code: \n \nif (op_sp < op_stk) { \nAtmfdDbgPrint(\"windows\\\\\\core\\\\\\ntgdi\\\\\\fondrv\\\\\\otfd\\\\\\bc\\\\\\t1interp.c\", \n4475, \"underflow of Type 1 operand stack\", \n\"op_sp >= op_stk\"); \nabort(); \n}\n\n \n\n\nThat\u2019s right \u2013 at the beginning of each instruction\u2019s execution, the function checks that \u201cop_sp\u201d is not below the operand stack array, but at the same time doesn\u2019t verify the upper boundary, making it possible for the Charstring to continue normal execution with an inconsistent state of the interpreter (an out-of-bounds stack pointer).\n\n \n\n\nConsidering that there are two factors of the product used to shift the operand stack pointer (n and k), the maximum number of bytes we can increase \u201cop_sp\u201d by is 32768 (maximum negative value of n) times 15 (maximum number of k - 1) times 4 (size of a single stack item) = 1966080 (0x1E0000), or almost 2MB. Since the exploited thread\u2019s stack will probably always be smaller than that, it would allow us to operate on other types of nearby memory regions such as heaps/pools, executable images etc. On the other hand, with k=2, the stack pointer is shifted by exactly -n*4 bytes (-n DWORDs), which provides a great granularity for out-of-bounds memory access. By using a simple two-command \u201c-x BLEND\u201d instruction sequence, we can set \u201cop_sp\u201d to any 4-byte aligned offset relative to the \u201cop_stk\u201d array!\n\n \n\n\nThe impact of the vulnerability in the context of ATMFD.DLL can be easily illustrated by using a short stream of four Charstring instructions, which perform the following actions:\n\n \n\n\n 1. Shift the operand stack pointer so that it points at the interpreter function\u2019s return address.\n\n 2. Trigger an \u201cexchange\u201d operation, swapping the two topmost operand stack entries, which in this case are the stack frame pointer (saved EBP) and the return address.\n\n 3. Use the ENDCHAR command to cause the control flow to leave the interpreter, thus triggering a bugcheck upon an attempt to execute data from stack while using the corrupted return address.\n\n \n\n\nThis process is also shown in the animation below:\n\n\n\n \n\n\nAnd the resulting kernel crash would look as follows:\n\nATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc) \nAn attempt was made to execute non-executable memory. The guilty driver \nis on the stack trace (and is typically the current instruction pointer). \nWhen possible, the guilty driver's name (Unicode string) is printed on \nthe bugcheck screen and saved in KiBugCheckDriver. \nArguments: \nArg1: 97ebf6a4, Virtual address for the attempted execute. \nArg2: 11dd2963, PTE contents. \nArg3: 97ebf56c, (reserved) \nArg4: 00000002, (reserved)\n\n \n\n\nThe impact of the vulnerability is greatly elevated by the fact that we can use all implemented operators (arithmetic, storage, etc.) over the out-of-bounds \u201cop_sp\u201d pointer, making it possible to add, subtract, move data around the stack, insert constants and so on. In other words, it provides us with all the primitives necessary to build a full ROP chain used to achieve arbitrary code execution. This, in turn, enables the creation of a 100% reliable exploit subverting all modern exploit mitigations such as stack cookies, DEP, ASLR or SMEP. The entire exploitation process takes place during Charstring execution, and therefore doesn\u2019t require any interaction with the vulnerable software other than loading a specially crafted font.\n\n \n\n\nThe only downside of the bug is that it doesn\u2019t affect 64-bit platforms. This is caused by one of the bounds checks in the \u201cblend\u201d operator implementation, which does in fact prevent negative values of n from passing through, thanks to a subexpression being cast to a 32-bit unsigned integer value before being added to a 64-bit pointer: \n\n\nif ((uint64)(&op_stk + 4 * (uint32)(n * master_designs)) > op_sp)\n\n \n\n\nThe behavior effectively eliminates the vulnerability from the compiled code \u2013 however, there isn\u2019t so much to worry about from the exploitation angle. At the time of this writing, Adobe only ships 32-bit builds of Reader, making all unpatched installations of the software affected by the flaw. While x64 builds of the Windows kernel might be more troublesome, other vulnerabilities discovered during the research could be used to escape the sandbox in our proof of concept exploit, which will also be discussed later in the series.\n\n \n\n\nThat\u2019s it for today. In the subsequent upcoming posts, we will discuss the process of developing a universal, fully reliable proof-of-concept PDF file, which will spawn an elevated calc.exe running with high integrity level and the \u201cSystem\u201d security token when opened with the most recent vulnerable versions of Adobe Reader and Windows 8.1 32/64-bit.\n\n# References\n\n 1. [http://blog.typekit.com/2014/07/30/the-adobe-originals-silver-anniversary-story-how-the-originals-endured-in-an-ever-changing-industry/](<http://blog.typekit.com/2014/07/30/the-adobe-originals-silver-anniversary-story-how-the-originals-endured-in-an-ever-changing-industry/>)\n\n 2. [http://blog.typekit.com/25-years-of-adobe-originals/](<http://blog.typekit.com/25-years-of-adobe-originals/>)\n\n 3. [https://en.wikipedia.org/wiki/OpenType#History](<https://en.wikipedia.org/wiki/OpenType#History>)\n\n 4. [https://cansecwest.com/slides/2013/Analysis%20of%20a%20Windows%20Kernel%20Vuln.pdf](<https://cansecwest.com/slides/2013/Analysis%20of%20a%20Windows%20Kernel%20Vuln.pdf>)\n\n 5. [http://esec-lab.sogeti.com/posts/2011/07/16/analysis-of-the-jailbreakme-v3-font-exploit.html](<http://esec-lab.sogeti.com/posts/2011/07/16/analysis-of-the-jailbreakme-v3-font-exploit.html>)\n\n 6. [http://files.accuvant.com/web/file/4a2a88cc7dec477096b88e19eba57969/White%20Paper-%20pwn2own_2013__java_7_se_memory_corruption.pdf](<http://files.accuvant.com/web/file/4a2a88cc7dec477096b88e19eba57969/White%20Paper-%20pwn2own_2013__java_7_se_memory_corruption.pdf>)\n\n 7. [http://www.slideshare.net/PeterHlavaty/windows-kernel-exploitation-this-time-font-hunt-you-down-in-4-bytes](<http://www.slideshare.net/PeterHlavaty/windows-kernel-exploitation-this-time-font-hunt-you-down-in-4-bytes>)\n", "modified": "2015-07-31T00:00:00", "published": "2015-07-31T00:00:00", "id": "GOOGLEPROJECTZERO:A7C6FA01C9AD35D2B4A19AFD0239D7C8", "href": "https://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html", "type": "googleprojectzero", "title": "\nOne font vulnerability to rule them all #1: Introducing the BLEND vulnerability\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-10T19:50:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0090", "CVE-2015-0089", "CVE-2015-0092", "CVE-2015-0088", "CVE-2015-0093", "CVE-2015-0091", "CVE-2015-0074", "CVE-2015-0087"], "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS15-021.", "modified": "2020-06-09T00:00:00", "published": "2015-03-11T00:00:00", "id": "OPENVAS:1361412562310805052", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805052", "type": "openvas", "title": "Microsoft Adobe Font Driver Remote Code Execution Vulnerabilities (3032323)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Adobe Font Driver Remote Code Execution Vulnerabilities (3032323)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805052\");\n script_version(\"2020-06-09T05:48:43+0000\");\n script_cve_id(\"CVE-2015-0074\", \"CVE-2015-0087\", \"CVE-2015-0088\", \"CVE-2015-0089\",\n \"CVE-2015-0090\", \"CVE-2015-0091\", \"CVE-2015-0092\", \"CVE-2015-0093\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 05:48:43 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-03-11 08:54:31 +0530 (Wed, 11 Mar 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Adobe Font Driver Remote Code Execution Vulnerabilities (3032323)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS15-021.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are exists in how the Adobe\n Font Driver manages memory when parsing fonts. The vulnerabilities are caused\n when the Adobe Font Driver improperly overwrites objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code with kernel-mode privileges and take\n complete control of the affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8 x32/x64\n\n - Microsoft Windows Server 2012/R2\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows 7 x32/x64 Service Pack 1 and prior\n\n - Microsoft Windows 2003 x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Vista x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/3032323\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS15-021\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2003:3, win2003x64:3, winVista:3, win7:2, win7x64:2,\n win2008:3, win2008r2:2, win8:1, win8x64:1, win2012:1,\n win2012R2:1, win8_1:1, win8_1x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\nuserVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Atmfd.dll\");\nif(!userVer){\n exit(0);\n}\n\n\nif(hotfix_check_sp(win2003:3, win2003x64:3) > 0)\n{\n if(version_is_less(version:userVer, test_version:\"5.2.2.241\")){\n report = report_fixed_ver(installed_version:userVer, fixed_version:\"5.2.2.241\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n}\n\n## Win 8.1 and win2012R2\nif(hotfix_check_sp(winVista:3, win2008:3, win7:2, win7x64:2, win2008r2:2, win8:1,\n win8x64:1, win2012:1, win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n{\n if(version_is_less(version:userVer, test_version:\"5.1.2.241\")){\n report = report_fixed_ver(installed_version:userVer, fixed_version:\"5.1.2.241\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:52:45", "bulletinFamily": "info", "cvelist": ["CVE-2015-0090", "CVE-2015-0089", "CVE-2015-0092", "CVE-2015-0088", "CVE-2015-0093", "CVE-2015-0091", "CVE-2015-0074", "CVE-2015-0087"], "description": "### *Detect date*:\n03/10/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple critical vulnerabilities have been found in Microsoft products. Malicious users can exploit these vulnerabilities to cause denial of service, obtain sensitive information or execute arbitrary code.\n\n### *Affected products*:\nWindows Server 2003 x86, x64, for Itanium-based Systems, Service Pack 2 \nWindows Vista x86, x64 Service Pack 2 \nWindows Server 2008 x86, x64, for Itanium-based Systems Service Pack 2 \nWindows 7 x86, x64 Service Pack 1 \nWindows Server 2008 R2 x64, for Itanium-based Systems Service Pack 1 \nWindows 8 x86, x64 \nWindows 8.1 x86, x64 \nWindows RT, RT 8.1 \nWindows Server 2008 x64 Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 x64 Service Pack 1 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS advisory](<https://technet.microsoft.com/library/security/MS15-021>) \n[CVE-2015-0074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0074>) \n[CVE-2015-0090](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0090>) \n[CVE-2015-0091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0091>) \n[CVE-2015-0092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0092>) \n[CVE-2015-0093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0093>) \n[CVE-2015-0089](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0089>) \n[CVE-2015-0087](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0087>) \n[CVE-2015-0088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0088>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2015-0074](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0074>)4.3Warning \n[CVE-2015-0090](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0090>)9.3Critical \n[CVE-2015-0091](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0091>)9.3Critical \n[CVE-2015-0092](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0092>)9.3Critical \n[CVE-2015-0093](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0093>)9.3Critical \n[CVE-2015-0089](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0089>)5.0Critical \n[CVE-2015-0087](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0087>)5.0Critical \n[CVE-2015-0088](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0088>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3032323](<http://support.microsoft.com/kb/3032323>)\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).", "edition": 41, "modified": "2020-06-18T00:00:00", "published": "2015-03-10T00:00:00", "id": "KLA10468", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10468", "title": "\r KLA10468Multiple vulnerabilities in Microsoft products ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:49:25", "bulletinFamily": "microsoft", "cvelist": ["CVE-2015-0090", "CVE-2015-0089", "CVE-2015-0092", "CVE-2015-0088", "CVE-2015-0093", "CVE-2015-0091", "CVE-2015-0074", "CVE-2015-0087"], "description": "<html><body><p>Resolves privately disclosed vulnerabilities in Windows that could allow remote code execution if a user views a specially crafted file or website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take complete control of an affected system.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves eight privately disclosed vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted file or website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs, could view, change, or delete data, or could create new accounts that have full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less affected than customers who operate with administrative user rights. </div><h2>Introduction</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS15-021. To learn more about this security bulletin:<br/><ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"https://www.microsoft.com/security/pc-security/updates.aspx\" id=\"kb-link-1\" target=\"_self\">https://www.microsoft.com/security/pc-security/updates.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"https://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">https://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"https://technet.microsoft.com/library/security/ms15-021\" id=\"kb-link-3\" target=\"_self\">https://technet.microsoft.com/library/security/MS15-021</a></div></li></ul><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3>Help installing updates:<br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals:<br/><a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your Windows-based computer from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country:<br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\">Windows Server 2003 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\">Security update file names</td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2003:<br/><span class=\"text-base\">WindowsServer2003-KB3032323-x86-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2003:<br/><span class=\"text-base\">WindowsServer2003-KB3032323-x64-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2003:<br/><span class=\"text-base\">WindowsServer2003-KB3032323-ia64-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installation switches</td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-8\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Update Log File</td><td class=\"sbody-td\">KB3032323.log</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Restart requirement</td><td class=\"sbody-td\">You must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Removal information</td><td class=\"sbody-td\">Use\u00a0the <strong class=\"uiterm\">Add or Remove Programs</strong> item in Control Panel\u00a0or the Spuninst.exe utility that is located in the %Windir%\\$NTUninstallKB3032323$\\Spuninst folder</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File information</td><td class=\"sbody-td\">See the <a bookmark-id=\"fileinfo\" href=\"#fileinfo\" managed-link=\"\" target=\"\">file information</a> section.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Registry key verification</td><td class=\"sbody-td\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows Server 2003\\SP3\\KB3032323\\Filelist</td></tr></table></div><h4 class=\"sbody-h4\">Windows Vista (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3032323-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3032323-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-9\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support the removal of updates. To uninstall an update that was installed by WUSA, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a bookmark-id=\"fileinfo\" href=\"#fileinfo\" managed-link=\"\" target=\"\">file information</a> section.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows Server 2008 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3032323-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3032323-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.1-KB3032323-ia64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-10\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support the removal of updates. To uninstall an update that was installed by WUSA, click\u00a0<span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a bookmark-id=\"fileinfo\" href=\"#fileinfo\" managed-link=\"\" target=\"\">file information</a> section.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows 7 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3032323-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows8.1-KB3032323-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-11\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that was installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch, or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a bookmark-id=\"fileinfo\" href=\"#fileinfo\" managed-link=\"\" target=\"\">file information</a> section.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows Server 2008 R2 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows8.1-KB3032323-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3032323-ia64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-12\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that was installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch, or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a bookmark-id=\"fileinfo\" href=\"#fileinfo\" managed-link=\"\" target=\"\">file information</a> section.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows 8 and Windows 8.1 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8:<br/><span class=\"text-base\">Windows8-RT-KB3032323-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8:<br/><span class=\"text-base\">Windows8-RT-KB3032323-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3032323-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3032323-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-13\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that was installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch, or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a bookmark-id=\"fileinfo\" href=\"#fileinfo\" managed-link=\"\" target=\"\">file information</a> section.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows Server 2012 and Windows Server 2012 R2 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3032323-arm.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3032323-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-14\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that was installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch, or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a bookmark-id=\"fileinfo\" href=\"#fileinfo\" managed-link=\"\" target=\"\">file information</a> section.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows RT and Windows RT 8.1 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">These updates are available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-15\" target=\"_self\">Windows Update</a> only.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart Requirement</span></td><td class=\"sbody-td\">You must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See the <a bookmark-id=\"fileinfo\" href=\"#fileinfo\" managed-link=\"\" target=\"\">file information</a> section.</td></tr></table></div></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div><h2>File information</h2><div class=\"kb-summary-section section\">The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.<br/><br/><br/><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Windows Server 2003 file information<br/></span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li>The files that apply to a specific milestone (SP<strong class=\"sbody-strong\">n</strong>) and service branch (QFE, GDR) are noted in the \"SP requirement\" and \"Service branch\" columns.</li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. QFE service branches contain hotfixes in addition to widely released fixes.</li><li>In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KB<strong class=\"sbody-strong\">number</strong>.cat) that is signed with a Microsoft digital signature.</li></ul><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows Server 2003</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.4.1</td><td class=\"sbody-td\">293,168</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:01</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.2.2.241</td><td class=\"sbody-td\">463,360</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:59</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows Server 2003</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.4.1</td><td class=\"sbody-td\">221,488</td><td class=\"sbody-td\">16-May-2014</td><td class=\"sbody-td\">03:14</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.2.2.241</td><td class=\"sbody-td\">290,816</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">02:42</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr></table></div><h4 class=\"sbody-h4\">For all supported IA-64-based versions of Windows Server 2003</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Spuninst.exe</td><td class=\"sbody-td\">6.3.4.1</td><td class=\"sbody-td\">501,552</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:01</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">None</td><td class=\"sbody-td\">Not applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.2.2.241</td><td class=\"sbody-td\">840,192</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:59</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Windows Vista and Windows Server 2008 file information<br/></span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li>The files that apply to a specific product, milestone (SP<strong class=\"sbody-strong\">n</strong>), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:<br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\"><span class=\"text-base\">Version</span></th><th class=\"sbody-th\"><span class=\"text-base\">Product</span></th><th class=\"sbody-th\"><span class=\"text-base\">Milestone</span></th><th class=\"sbody-th\"><span class=\"text-base\">Service branch</span></th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.600<span class=\"text-base\">2</span>.<span class=\"text-base\">18</span><strong class=\"sbody-strong\">xxx</strong></td><td class=\"sbody-td\">Windows Vista SP2 and Windows Server 2008 SP2</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.600<span class=\"text-base\">2</span>.<span class=\"text-base\">23</span><strong class=\"sbody-strong\">xxx</strong></td><td class=\"sbody-td\">Windows Vista SP2 and Windows Server 2008 SP2</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">LDR</td></tr></table></div></li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.</li></ul><span class=\"text-base\">Note</span> The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.<br/><br/><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows Vista and Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">296,960</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">00:28</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">34,304</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">02:03</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.0.6002.18051</td><td class=\"sbody-td\">10,240</td><td class=\"sbody-td\">15-Jun-2009</td><td class=\"sbody-td\">14:51</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.0.6002.18272</td><td class=\"sbody-td\">72,704</td><td class=\"sbody-td\">16-Jun-2010</td><td class=\"sbody-td\">15:30</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.0.6002.18051</td><td class=\"sbody-td\">23,552</td><td class=\"sbody-td\">15-Jun-2009</td><td class=\"sbody-td\">14:52</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">296,960</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">00:24</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">34,304</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:36</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">10,240</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:36</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">72,704</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:36</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">23,552</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:37</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows Vista and Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">372,224</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">00:39</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">48,128</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.0.6002.18051</td><td class=\"sbody-td\">14,336</td><td class=\"sbody-td\">15-Jun-2009</td><td class=\"sbody-td\">15:10</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.0.6002.18272</td><td class=\"sbody-td\">96,256</td><td class=\"sbody-td\">16-Jun-2010</td><td class=\"sbody-td\">16:30</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.0.6001.18000</td><td class=\"sbody-td\">32,768</td><td class=\"sbody-td\">19-Jan-2008</td><td class=\"sbody-td\">08:02</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">372,224</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">00:52</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">48,128</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">14,336</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">96,256</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">32,768</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:45</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">296,960</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">00:28</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">34,304</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">02:03</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.0.6002.18051</td><td class=\"sbody-td\">10,240</td><td class=\"sbody-td\">15-Jun-2009</td><td class=\"sbody-td\">14:51</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.0.6002.18272</td><td class=\"sbody-td\">72,704</td><td class=\"sbody-td\">16-Jun-2010</td><td class=\"sbody-td\">15:30</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.0.6002.18005</td><td class=\"sbody-td\">23,552</td><td class=\"sbody-td\">11-Apr-2009</td><td class=\"sbody-td\">06:26</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">296,960</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">00:24</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">34,304</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:36</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">10,240</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:36</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">72,704</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:36</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">23,552</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:38</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">For all supported IA-64-based versions of Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">778,752</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">00:29</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">92,160</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:26</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.0.6001.18000</td><td class=\"sbody-td\">29,184</td><td class=\"sbody-td\">19-Jan-2008</td><td class=\"sbody-td\">08:26</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.0.6002.18124</td><td class=\"sbody-td\">196,096</td><td class=\"sbody-td\">19-Oct-2009</td><td class=\"sbody-td\">13:31</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.0.6001.18000</td><td class=\"sbody-td\">68,608</td><td class=\"sbody-td\">19-Jan-2008</td><td class=\"sbody-td\">08:28</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">778,752</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">00:28</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">92,160</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:07</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">29,184</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:08</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">196,096</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:08</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">68,608</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:08</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">296,960</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">00:28</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">34,304</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">02:03</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.0.6002.18051</td><td class=\"sbody-td\">10,240</td><td class=\"sbody-td\">15-Jun-2009</td><td class=\"sbody-td\">14:51</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.0.6002.18272</td><td class=\"sbody-td\">72,704</td><td class=\"sbody-td\">16-Jun-2010</td><td class=\"sbody-td\">15:30</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.0.6002.18005</td><td class=\"sbody-td\">23,552</td><td class=\"sbody-td\">11-Apr-2009</td><td class=\"sbody-td\">06:26</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">296,960</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">00:24</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">34,304</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:36</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">10,240</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:36</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">72,704</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:36</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.0.6002.23634</td><td class=\"sbody-td\">23,552</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">01:38</td><td class=\"sbody-td\">x86</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Windows 7 and Windows Server 2008 R2 file information<br/></span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li>The files that apply to a specific product, milestone (RTM, SP<strong class=\"sbody-strong\">n</strong>), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table: <br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\"><span class=\"text-base\">Version</span></th><th class=\"sbody-th\"><span class=\"text-base\">Product</span></th><th class=\"sbody-th\"><span class=\"text-base\">Milestone</span></th><th class=\"sbody-th\"><span class=\"text-base\">Service branch</span></th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.1.760<span class=\"text-base\">1</span>.<span class=\"text-base\">18</span>xxx</td><td class=\"sbody-td\">Windows 7 and Windows Server 2008 R2</td><td class=\"sbody-td\">SP1</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.1.760<span class=\"text-base\">1</span>.<span class=\"text-base\">22</span>xxx</td><td class=\"sbody-td\">Windows 7 and Windows Server 2008 R2</td><td class=\"sbody-td\">SP1</td><td class=\"sbody-td\">LDR</td></tr></table></div></li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.</li></ul><span class=\"text-base\">Note</span> The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.<br/><br/><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows 7</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">299,008</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:09</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">34,304</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">10,240</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">26,624</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">299,008</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:50</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">34,304</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:17</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">10,240</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:17</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:17</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">26,624</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:17</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows 7 and Windows Server 2008 R2</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">779,264</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">02:51</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">91,648</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:37</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">32,768</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:37</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">197,632</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:37</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">73,728</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:37</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">779,264</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:14</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">91,648</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:02</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">32,768</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:02</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">197,632</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:02</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">73,728</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:02</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">299,008</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:09</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">34,304</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">10,240</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:12</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">299,008</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:50</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">34,304</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:17</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">10,240</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:17</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:17</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:14</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">For all supported IA-64-based versions of Windows Server 2008 R2</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">372,224</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:29</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">46,080</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:40</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">14,336</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:40</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">100,864</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:40</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">41,984</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:41</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">372,224</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:46</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">46,080</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:25</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">14,336</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:25</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">100,864</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:25</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">41,984</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:25</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">299,008</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:09</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">34,304</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">10,240</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:13</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.1.7601.18768</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">04:12</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">299,008</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:50</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">34,304</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:17</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">10,240</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:17</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">70,656</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:17</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.1.7601.22974</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">05:14</td><td class=\"sbody-td\">x86</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Windows 8 and Windows Server 2012 file information<br/></span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li>The files that apply to a specific product, milestone (RTM,SP<strong class=\"sbody-strong\">n</strong>), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:<br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\"><span class=\"text-base\">Version</span></th><th class=\"sbody-th\"><span class=\"text-base\">Product</span></th><th class=\"sbody-th\"><span class=\"text-base\">Milestone</span></th><th class=\"sbody-th\"><span class=\"text-base\">Service branch</span></th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.2.920 <span class=\"text-base\">0.16</span> xxx</td><td class=\"sbody-td\">Windows 8 and Windows Server 2012</td><td class=\"sbody-td\">RTM</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.2.920 <span class=\"text-base\">0.20</span> xxx</td><td class=\"sbody-td\">Windows 8 and Windows Server 2012</td><td class=\"sbody-td\">RTM</td><td class=\"sbody-td\">LDR</td></tr></table></div></li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.</li></ul><span class=\"text-base\">Note</span> The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.<br/><br/><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows 8</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">304,128</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">07:24</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">35,328</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">08:10</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.2.9200.16453</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">08-Nov-2012</td><td class=\"sbody-td\">04:24</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.2.9200.16453</td><td class=\"sbody-td\">75,776</td><td class=\"sbody-td\">08-Nov-2012</td><td class=\"sbody-td\">04:24</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.2.9200.16453</td><td class=\"sbody-td\">3,072</td><td class=\"sbody-td\">08-Nov-2012</td><td class=\"sbody-td\">04:01</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">304,128</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">06:47</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">35,328</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">07:32</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.2.9200.16384</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">26-Jul-2012</td><td class=\"sbody-td\">03:18</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.2.9200.16384</td><td class=\"sbody-td\">75,776</td><td class=\"sbody-td\">26-Jul-2012</td><td class=\"sbody-td\">03:18</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.2.9200.16384</td><td class=\"sbody-td\">3,072</td><td class=\"sbody-td\">26-Jul-2012</td><td class=\"sbody-td\">02:41</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows 8 and Windows Server 2012</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">366,592</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">11:56</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">46,080</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">13:59</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.2.9200.16453</td><td class=\"sbody-td\">14,336</td><td class=\"sbody-td\">08-Nov-2012</td><td class=\"sbody-td\">04:20</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.2.9200.16453</td><td class=\"sbody-td\">96,256</td><td class=\"sbody-td\">08-Nov-2012</td><td class=\"sbody-td\">04:20</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.2.9200.16453</td><td class=\"sbody-td\">3,072</td><td class=\"sbody-td\">08-Nov-2012</td><td class=\"sbody-td\">04:02</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">366,592</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">07:56</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">46,080</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">08:38</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.2.9200.16384</td><td class=\"sbody-td\">14,336</td><td class=\"sbody-td\">26-Jul-2012</td><td class=\"sbody-td\">03:05</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.2.9200.16384</td><td class=\"sbody-td\">96,256</td><td class=\"sbody-td\">26-Jul-2012</td><td class=\"sbody-td\">03:05</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.2.9200.16384</td><td class=\"sbody-td\">3,072</td><td class=\"sbody-td\">26-Jul-2012</td><td class=\"sbody-td\">02:33</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">304,128</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">07:24</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">35,328</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">08:10</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.2.9200.16453</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">08-Nov-2012</td><td class=\"sbody-td\">04:24</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.2.9200.16453</td><td class=\"sbody-td\">75,776</td><td class=\"sbody-td\">08-Nov-2012</td><td class=\"sbody-td\">04:24</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.2.9200.16453</td><td class=\"sbody-td\">3,072</td><td class=\"sbody-td\">08-Nov-2012</td><td class=\"sbody-td\">04:01</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">304,128</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">06:47</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">35,328</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">07:32</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.2.9200.16384</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">26-Jul-2012</td><td class=\"sbody-td\">03:18</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.2.9200.16384</td><td class=\"sbody-td\">75,776</td><td class=\"sbody-td\">26-Jul-2012</td><td class=\"sbody-td\">03:18</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.2.9200.16384</td><td class=\"sbody-td\">3,072</td><td class=\"sbody-td\">26-Jul-2012</td><td class=\"sbody-td\">02:41</td><td class=\"sbody-td\">x86</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Windows 8.1 and Windows Server 2012 R2 file information<br/></span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows 8.1</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">301,056</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">02:20</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">35,840</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">02:15</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.3.9600.17415</td><td class=\"sbody-td\">11,776</td><td class=\"sbody-td\">29-Oct-2014</td><td class=\"sbody-td\">02:00</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.3.9600.17415</td><td class=\"sbody-td\">77,824</td><td class=\"sbody-td\">29-Oct-2014</td><td class=\"sbody-td\">02:00</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.3.9600.17415</td><td class=\"sbody-td\">3,072</td><td class=\"sbody-td\">29-Oct-2014</td><td class=\"sbody-td\">02:04</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows 8.1 and Windows Server 2012 R2</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">358,912</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">03:03</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">44,032</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">02:58</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.3.9600.17415</td><td class=\"sbody-td\">14,848</td><td class=\"sbody-td\">29-Oct-2014</td><td class=\"sbody-td\">02:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.3.9600.17415</td><td class=\"sbody-td\">96,256</td><td class=\"sbody-td\">29-Oct-2014</td><td class=\"sbody-td\">02:44</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.3.9600.17415</td><td class=\"sbody-td\">3,072</td><td class=\"sbody-td\">29-Oct-2014</td><td class=\"sbody-td\">02:49</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmfd.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">301,056</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">02:20</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Atmlib.dll</td><td class=\"sbody-td\">5.1.2.241</td><td class=\"sbody-td\">35,840</td><td class=\"sbody-td\">20-Feb-2015</td><td class=\"sbody-td\">02:15</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Dciman32.dll</td><td class=\"sbody-td\">6.3.9600.17415</td><td class=\"sbody-td\">11,776</td><td class=\"sbody-td\">29-Oct-2014</td><td class=\"sbody-td\">02:00</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Fontsub.dll</td><td class=\"sbody-td\">6.3.9600.17415</td><td class=\"sbody-td\">77,824</td><td class=\"sbody-td\">29-Oct-2014</td><td class=\"sbody-td\">02:00</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Lpk.dll</td><td class=\"sbody-td\">6.3.9600.17415</td><td class=\"sbody-td\">3,072</td><td class=\"sbody-td\">29-Oct-2014</td><td class=\"sbody-td\">02:04</td><td class=\"sbody-td\">x86</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">File hash information<br/></span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">SHA1 hash</th><th class=\"sbody-th\">SHA256 hash</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3032323-ia64.msu</td><td class=\"sbody-td\">2BD0898AD5E8ADBBD3EC6A35FB8ADC4A4BE761B2</td><td class=\"sbody-td\">FD33DED0133BFE565829D2185B73C436B1F9D42461D3BFE00AF08E430DA1425E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3032323-ia64.msu</td><td class=\"sbody-td\">E18CD12545F7F4F638280C62C88CCD8633BD5562</td><td class=\"sbody-td\">76E5793C3795E9A1B29A3E7759C83FDB2CFE67137D41DBC55917CB5379D1352D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3032323-ia64.msu</td><td class=\"sbody-td\">F3CC7FA1B8C2F9925E89557A4F4FB89BEB001F0D</td><td class=\"sbody-td\">73FF68445945795DEC052B60FBB78938F7189C1E79BFBF8433070B50D9C0D1DB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3032323-x64.msu</td><td class=\"sbody-td\">30072FE320D2134065A4D8938E97E76E05A1EA06</td><td class=\"sbody-td\">2BFC721CD35DFEC35A1E57619C0488460D64530EB7E7572EB8FD0B99718FD9D1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3032323-x64.msu</td><td class=\"sbody-td\">E0A9FDE11C479B5C68E948C1955ABE5BE58E546D</td><td class=\"sbody-td\">F8642018650375E981D5B317CDFF5BB19EE22D052B555ACA609BDD36BAB6C115</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3032323-x64.msu</td><td class=\"sbody-td\">FE869B160BA8A13AA9A0B2662EDE20CBD3A73AF6</td><td class=\"sbody-td\">277719A878E6E36CA7099308F501613772ADA3115FF059C448D22EF229C9C8C7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3032323-x86.msu</td><td class=\"sbody-td\">1B9AEF6D0BBFF4B7932263CFD7C3A61497B33853</td><td class=\"sbody-td\">9E024D0B04EE53E03B06052C1F91D6C1C3180CD8076C938D12AA3F5FB7D42F8F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3032323-x86.msu</td><td class=\"sbody-td\">49FD2DA01C21C86A5203748E82787EE9211A3D69</td><td class=\"sbody-td\">7266B66EB114F83DDF08D60FC3D822B426E0B53E4764D1E9D966305A6E6F3B69</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3032323-x86.msu</td><td class=\"sbody-td\">931C4A16E0EED56EC96BCB019B41DD6BA4FF1087</td><td class=\"sbody-td\">52C16D1AF9AA32F47DBCA57880D3D96518B6B988493A7707EC08062A02027DA1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3032323-ia64.msu</td><td class=\"sbody-td\">632676DA9E108FA14D862DDE66824B17342E88C1</td><td class=\"sbody-td\">D33B0E81A6EEBEDD7B258748584A5468E4E7A6FF9EA736C1CFD1FBDA52C10C8F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3032323-ia64.msu</td><td class=\"sbody-td\">6AA15143D215E447F0462FA5B24BF4C4018B04E4</td><td class=\"sbody-td\">4EC5227DF2F5FED86B5C8F202F61BEFCEF43E7A188C206E8D1438EEF6BBA5202</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3032323-ia64.msu</td><td class=\"sbody-td\">8073F80578908F04D3D0FE9132D5ED69547E3C01</td><td class=\"sbody-td\">794CCF8ADFBEDBB61028D80290F5D083553294FCD39E4EC63A9F30B50DE1E00B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3032323-ia64.msu</td><td class=\"sbody-td\">89C2DB5CAAC80B6BFE249113DFEB6EE09E50639E</td><td class=\"sbody-td\">E7185FF016E061CD8B770B1D5414B05C4403B41E20570E739E517491A08CA371</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3032323-x64.msu</td><td class=\"sbody-td\">0BC37C2455719C6214A45DEE478795A383C41E2D</td><td class=\"sbody-td\">54C4B75DC5316C1E1C78D23E59483914566F4035B3C43292A1235D0B34C8A22C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3032323-x64.msu</td><td class=\"sbody-td\">1F60069E4422B7274028154F12E537C24351D03A</td><td class=\"sbody-td\">2823CFF59B55462D89D68B1F6685A5F405E823924DDD7D52559067AB47F8E51B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3032323-x64.msu</td><td class=\"sbody-td\">839698CE1A18D3357AD79C8A51B1FE1CF16A86B7</td><td class=\"sbody-td\">117A8674ACE8DB6AB4D09054A720E5A30FCFE3E89EA6C8EBE95C1E7AEE7422F4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3032323-x64.msu</td><td class=\"sbody-td\">A7A9F390F459B2F677B6166B1BFBC32AF5265A59</td><td class=\"sbody-td\">F87EF53E860C434E181C9A8C3471472A941043C2727F3187FE851ACA058DBAC5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3032323-x86.msu</td><td class=\"sbody-td\">0DD4E0107C9ED0091E4406C8EC2804FA187CB2EE</td><td class=\"sbody-td\">EF901B6B50F24CC73B7CFAAA953700FE387B7AAFB48089EF8B2A72252C91CA4A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3032323-x86.msu</td><td class=\"sbody-td\">2BCF847C9B2952BD3AEF007DB5FD05413F709347</td><td class=\"sbody-td\">7F70DE906E73500D1F395CD3443EB6BEF04BE2EDB64CA457D9655BEA19B4DFC1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3032323-x86.msu</td><td class=\"sbody-td\">8A6AFBB838FD8635094D5FFF12E469093EFD8942</td><td class=\"sbody-td\">2B0053E9F233D65165D07DB2FBE0D4021B4472EC5ED60842224B0D1E386B15D2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3032323-x86.msu</td><td class=\"sbody-td\">9E5A9A6A04B67CA71EF4E36A6FB8AEE2ED383751</td><td class=\"sbody-td\">ECFFFD47F04B531038DFFFFCB290C97651D95B8D22A28219EB5846C9BE75275E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3032323-x64.msu</td><td class=\"sbody-td\">0E2E7E770BD49E0E291669A4F55687C88779FAAA</td><td class=\"sbody-td\">482141D76C8AD473DA38D885D3E0991811FD4465BE977266F0501AD671B31EA3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3032323-x64.msu</td><td class=\"sbody-td\">AB629E5A6EF05FC4024649DE9752268711678D0E</td><td class=\"sbody-td\">19627DBD67DEF43817D081219DE014954522A9EFFE82EE2B1976DA3DA7DD9DA3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3032323-x64.msu</td><td class=\"sbody-td\">AF35E9268F4835FF6F3C0887C1B3F9178C6D9053</td><td class=\"sbody-td\">FA40D112E49B537D76D8EF07166EF3BE869E6223BF33FC444466EE0328B73D58</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3032323-x64.msu</td><td class=\"sbody-td\">F98467C8A19A94433068255383BECF54AC75EBE7</td><td class=\"sbody-td\">C955A746F113758A940C9E5F1D3033F454CEF4C880AD4CF1772298EF3E26069A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3032323-x86.msu</td><td class=\"sbody-td\">22080AAE9D125B5602420FB11E5A61BA7AA33FDC</td><td class=\"sbody-td\">887DCE469DFDB50722FB6B1A99F249A2DD6C47EEED02FDC81CBFC0BFBD60F3F5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3032323-x86.msu</td><td class=\"sbody-td\">458DF766E92D30F2F12100566DDC489E3DC9CC63</td><td class=\"sbody-td\">CFC60061A1CA0C05835E20DE0D693826C2B761C8BE904ABB378E74E5159902C1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3032323-x86.msu</td><td class=\"sbody-td\">609268C3CC58CCB306657ADBA6AA7EA2CEAF72CE</td><td class=\"sbody-td\">04A674CB2979A92A03AB192B24910DB8F52038B854A9438859EC759D722B132D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3032323-x86.msu</td><td class=\"sbody-td\">FE46B6B96055912478A3A479C365BB432F5FCC6E</td><td class=\"sbody-td\">85E989F5F742B22FC1830E0AD23059F0D1F8D888F98714BFBB327D30DAE8CAE7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3032323-x64.msu</td><td class=\"sbody-td\">4DBFF358F918FFC267B5E35B6A9108BA5C067C5B</td><td class=\"sbody-td\">427DF01C0C035661CDF808BA6ED184E2D4F8C6944E6BB9639801CE123A599A6D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3032323-x64.msu</td><td class=\"sbody-td\">C0104819CCDC732C41902ACD73CF3FFDD5187847</td><td class=\"sbody-td\">A7AC2858FF2FE4447EE9C80D93EC9D8A04AC30802644992D43426D5DB973D902</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3032323-x64.msu</td><td class=\"sbody-td\">DD6A0BF3053D59BC46B27465DAF4432CE5BE91AB</td><td class=\"sbody-td\">455B091B613C3BE38586E44601F461FDAFB1C8ED9B1F1D2EE0ED3C21AF039212</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3032323-x86.msu</td><td class=\"sbody-td\">290691D3A3B2376FC1465376AE3763D8B75E4279</td><td class=\"sbody-td\">F7E58F3AF4071C45506635814976B77A15F8913463F6D55C4E640EF77B15F52D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3032323-x86.msu</td><td class=\"sbody-td\">319B667575F80FDAB0097428137A9FF2E7250378</td><td class=\"sbody-td\">020735CDFC0973FE76A431578D5DA1D5EF7A28100FE3FD8520D9D41DD283C0EB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3032323-x86.msu</td><td class=\"sbody-td\">7BFF48762591A68199D5F9B8893B08A63EEC1E0B</td><td class=\"sbody-td\">E90A7962ABA2E8AFE48E6A7F61CA997E05719AB7D17DCF07ED50CC0DC075B379</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-ia64-DEU.exe</td><td class=\"sbody-td\">419D35962B4D3A60FEBCA5211361D6E574EC0F21</td><td class=\"sbody-td\">37D45C422CA426171111E58BC15A0D4BA822F624A27C82BEF7AB6206C26929BB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-ia64-DEU.exe</td><td class=\"sbody-td\">477C2138E404A436409F5C2A640492D582C2BD6C</td><td class=\"sbody-td\">2E1581BC2A68DB5484AC4945BDE8F716AB25C866D03197C81C0474F99FD15D28</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-ia64-DEU.exe</td><td class=\"sbody-td\">D0EEBFAB8AC2AF1751457B20A6E61A8AF3122AC4</td><td class=\"sbody-td\">B4445605EC3401B3CE5405F47119E7335BF4DB84994FB58BCB9C8A0F354262C7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-ia64-ENU.exe</td><td class=\"sbody-td\">61EBA01CCAA4319756173B15CD2312E242C7DE86</td><td class=\"sbody-td\">FF127A7BDCE8490939E72F644D690A42CD5E6381F6E923EAA8FE6A03F97B862E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-ia64-ENU.exe</td><td class=\"sbody-td\">6E436C055E22B85EE9CD8D6A609129A5CC62193E</td><td class=\"sbody-td\">405C179BFEF981EA236D086234C9AD96AD8C65136F849993AF9B032471177424</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-ia64-ENU.exe</td><td class=\"sbody-td\">A105DD7B64EC1BEDCD324B9E8E2CC8FE04D9B344</td><td class=\"sbody-td\">A599D85DC9007E78FEFC45C585EE5695AD0BD9D89F28808D73618638496DBCC7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-ia64-FRA.exe</td><td class=\"sbody-td\">529AB97BBCAF7D221AEAF9D3FA99DFAB00D7B9A6</td><td class=\"sbody-td\">687DE1021B40FB6C63B3C56FF3B20BC1D4C7657C69AADAA591DD39AD619D413F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-ia64-FRA.exe</td><td class=\"sbody-td\">73412E221A36F64819BC2B8755684EBEF3659A45</td><td class=\"sbody-td\">51CD5D43A3A5EBF238B0F4281E28CB33B3DE330875731863C9B05E7CEF4BBDA9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-ia64-FRA.exe</td><td class=\"sbody-td\">774546A618CAAE718D40384AF7801765D8A9FB0F</td><td class=\"sbody-td\">490A628C5FE31F9AAFF75FB1DE4BF85BCC9EDA587E8B990C7E3A2521CE46F91D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-ia64-JPN.exe</td><td class=\"sbody-td\">2DB242F039F169821C4A143B367997C98CD04E14</td><td class=\"sbody-td\">9B6C8E3E3B6D0B83B79339CFFF3DF311700992E5772AB333787BF5FA5BDA6417</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-ia64-JPN.exe</td><td class=\"sbody-td\">33363EAF0A54FFECCEE611E2325385B7211C33A4</td><td class=\"sbody-td\">F0530A75BFC88A19CEBCD100B6F1DAD648404CB6AA8F1581793A042334EFAF53</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-ia64-JPN.exe</td><td class=\"sbody-td\">6DAE0C57E1C22DBFE9CCE03D5ECAB7D0A0B4198B</td><td class=\"sbody-td\">67C592A2D5C95A055A25C59ED0F4EEB06AAC402DDB4B5A895C471259C7572995</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-CHS.exe</td><td class=\"sbody-td\">12C80EF604A67DCBB980B59BF072E6E10F11AF48</td><td class=\"sbody-td\">96FB980EB7BF10CCEFA498F33A9558182854AF086112B6F3FB63B538461DF7F4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-CHS.exe</td><td class=\"sbody-td\">81BDB735FB3757556E692226B305AFE94DEE00BD</td><td class=\"sbody-td\">EA26285A25F80D5A591C09AD49343A0B9CDFBB52CB635E8449E3E1C24E782B7F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-CHS.exe</td><td class=\"sbody-td\">D2F2E7EA8E2E3F41DE212057B97C8667DED3D9E4</td><td class=\"sbody-td\">68B3879DD979D82447FDE72EAB6F69EC1BCBF6EA53E8747D12F8050A06218E6C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-CHT.exe</td><td class=\"sbody-td\">2E8226A7F37CEF1F6A72841D25CDD615E7096D8A</td><td class=\"sbody-td\">579D179D7BEDC7676F9973C0C9501F56DE48011DEF0493FB78E2AF63168A73FD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-CHT.exe</td><td class=\"sbody-td\">7770FE700E3A0A10455AD8977D7E18732DE99850</td><td class=\"sbody-td\">50C74E58B591B67EA0FD46148B2CC9BB05F69085551993AF7E6E55E2A166DF8C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-CHT.exe</td><td class=\"sbody-td\">DF9C347CA92F6318286154996B4111D916297E1F</td><td class=\"sbody-td\">0F23FC083EB2E597C3412B60E0A236A3E6337F67A0B806E4A2F0D0E20B4A6BEC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-DEU.exe</td><td class=\"sbody-td\">69868E8418875B41E083502F71E20CB1B77B0786</td><td class=\"sbody-td\">603579DFF2E40AD85AEAECFEA6CA3EB72AECE413ACB6D2DD7C83DB7F97861BB3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-DEU.exe</td><td class=\"sbody-td\">98C636193E5774014657DD6A48171309E6EB71DA</td><td class=\"sbody-td\">78FDA9862F2195EBE1DBBB568EC7CFB673C20E6A78460AB0C786BA51BF7F15E3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-DEU.exe</td><td class=\"sbody-td\">B807D67517525B54B3E6A8245FA2B32A8A097525</td><td class=\"sbody-td\">8B2D7DF0B8EC8AB515F6808B1BDA95E6170E623D5E30D2D8B4EDC14D40BA33CC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-ENU.exe</td><td class=\"sbody-td\">0FC725B09A1DB0B91B570EEDE452F4F5D03517BB</td><td class=\"sbody-td\">3DBC5837FBCB06F90A2C9F095FCD8F63DD77B72FB9BA96AB9422B4D9389B12A4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-ENU.exe</td><td class=\"sbody-td\">4C7B04507EF12F3D3C1C204692C139A9D46407BC</td><td class=\"sbody-td\">43779F6FB40D133513C8FF703802ACCBD3DDDD98AAC65FBF787D833FE2B2F494</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-ENU.exe</td><td class=\"sbody-td\">F17BB4CD276EE899C58CAAD1AD636782BA15E029</td><td class=\"sbody-td\">D4D20EE900DFB8717B5F2A0DCDEE2F82A9A97F17B2F8010A256DE70CBDD8902D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-ESN.exe</td><td class=\"sbody-td\">7DE4329796366771F16CAF55C0066BAD62F56ADC</td><td class=\"sbody-td\">70371E3C31919A963AB7F42C110269B102864A1081DD1F61A61C53A6777F02E8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-ESN.exe</td><td class=\"sbody-td\">A997E4F4C718BD03B65EB6C8736203AA92F7A64A</td><td class=\"sbody-td\">D3337DB6B40D4C03ED337D595041B37A8364C5334FDDDB379957E7FCC59392CF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-ESN.exe</td><td class=\"sbody-td\">F6201AAFB092C7CD6FFBF079994DEF3545E6AC22</td><td class=\"sbody-td\">C6271911B03F70573F8CEF1F18027141453471CCFE329849E177B1AAFDCB207C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-FRA.exe</td><td class=\"sbody-td\">321680FE42866593DAB841CFC92E9E5BF20097A5</td><td class=\"sbody-td\">0C4820FA0181B643004CE5FEFDCDB9D857372AE1397B617D29F4A4AA4E96F229</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-FRA.exe</td><td class=\"sbody-td\">9916CEE3BF64677BFE7F93A10DB94317F9AACD10</td><td class=\"sbody-td\">5E59E3E5EA5857F21BA6087D060AA7A9CB38E3ED7EB29A903CF7E150E8FC7266</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-FRA.exe</td><td class=\"sbody-td\">BD3370349DEDA848398C5AEF561CFE19459062F7</td><td class=\"sbody-td\">B4BC5F69512E05059FDF1AC40E17F762300B6E9DB8EDF5D316BD3CF72FA983F3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-ITA.exe</td><td class=\"sbody-td\">2CEAF859E1582F3B454C87221ECE3C5BCB08E968</td><td class=\"sbody-td\">345D24AF6EAFFF7DDC24C99D483B6A2D47D332B63CBCD03A31B33B358E38D404</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-ITA.exe</td><td class=\"sbody-td\">3F53C36FF4C878AE807051E50983023A9AB04ABA</td><td class=\"sbody-td\">7C0EF46A12D8D7F28656FFD096533F59DF1B0EA655306A7856136804732BF84A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-ITA.exe</td><td class=\"sbody-td\">7B31AD9DA61A9709E9AE955CAF911DF045607568</td><td class=\"sbody-td\">1CA92C98105822F696C95530917CF3C5D5E206FFB630263A453ABCA8EBDA0889</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-JPN.exe</td><td class=\"sbody-td\">34FABE8BA36C9D8A466527A5E9561C4550BDD9D6</td><td class=\"sbody-td\">E16FD6119D2166637DBD11C1CCE67E8B33B53ACB4A4947E49776F22B85196C9B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-JPN.exe</td><td class=\"sbody-td\">3D4AE129AC4B9DFA275DC5AA68434D73A38F93A2</td><td class=\"sbody-td\">7304C2E55CD974F0267555DAD7ED049654D41B787EE3E757CF6140FABAAE7E6B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-JPN.exe</td><td class=\"sbody-td\">DF55CFFBDE3FD651B163325B764EDDE91F24F10F</td><td class=\"sbody-td\">E8FA4E6DC17AAE4F6C398E65A4B50FD8DD6676C1893693248372968C6C326724</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-KOR.exe</td><td class=\"sbody-td\">309720A21164C26DDD12D23A20711FF9F564D3D3</td><td class=\"sbody-td\">41C0032A2FED6D40E9C197EB693B7A51CF634ADF466F574C1E946A3C100B0B95</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-KOR.exe</td><td class=\"sbody-td\">3BF0B93125BDA8594466AA93E9F5999177E8B6EC</td><td class=\"sbody-td\">D26305E2778F14DD7240C8609BC84CF2721D3C0B58AA9053D3697C4F0D7A6C10</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-KOR.exe</td><td class=\"sbody-td\">5B425E0BC180AA7F42283386E709AD5341F2D4FF</td><td class=\"sbody-td\">9CC48F35907BA3829AF9E3DB6DE41144913229FB8DC2ABE1023A772CAEB9E317</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-PTB.exe</td><td class=\"sbody-td\">363703FDA19BCC3EA14041246C0C783A12597902</td><td class=\"sbody-td\">12DB1D55AD8E03FA9DC0DD957FD2BB2C4D68D3ADA3501DC1B27EEC125591AB6D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-PTB.exe</td><td class=\"sbody-td\">6166F37F6FF54096D09F6F0D8275896519A75E91</td><td class=\"sbody-td\">1DEF227DA971FCCB0B90C421D131D02E1D0436922EBE73C671E4D3836868A9AA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-PTB.exe</td><td class=\"sbody-td\">6472D2009FA4CF48752230D93BCB7CC58F5AFF04</td><td class=\"sbody-td\">344C2B1A6E5470DDBCBD69A40367A3C58C06C223E211CA84049AB8A33CD68C14</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-RUS.exe</td><td class=\"sbody-td\">243CEB4CFE89D331B691BA85761D26C2BEABBEE9</td><td class=\"sbody-td\">FD764D062956611853D5E990A6B8E5A9FD158845DB126997C16348D32071DC39</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-RUS.exe</td><td class=\"sbody-td\">7A102707A74A2C2DE5D67EB471222FA7AD8172D7</td><td class=\"sbody-td\">F2C06ED0143D83F044E25A40BC8AADE524F5729D57A91C25830B4AC94F2EBD4D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x64-RUS.exe</td><td class=\"sbody-td\">F2F99E4234BB6E65482DB70E714E7DE4F36746D3</td><td class=\"sbody-td\">872C269B18144DBD1E9A61244A9083826FB15BB423D3128F62E7EAED09A4FEAA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-CHS.exe</td><td class=\"sbody-td\">43484FA4BED858C7B0155C7A3D5ACB39DC2BF44F</td><td class=\"sbody-td\">73E9DFFEE621B3C8710F42E9B02258E4E310D5FE6DCA71839C05F87106AC3AEF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-CHS.exe</td><td class=\"sbody-td\">A592CE31C0155AAE2096DF24371A5AA1029D87CD</td><td class=\"sbody-td\">3FCEDCA8DE715C5D68E8248D5D2BC34D8986E3C89492220AADD521BAAEF987AA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-CHS.exe</td><td class=\"sbody-td\">FB8EBC4B8F760425004595653830D0A93F6DFFF5</td><td class=\"sbody-td\">DD535174892BED61F046F6D5E4A9F4269F8DC0E01FC301D82D0065004AE3F1DE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-CHT.exe</td><td class=\"sbody-td\">16B066A8EB557A5DB9F63BDB81E3D841F3EFB58D</td><td class=\"sbody-td\">6DBE2BD34F42BB5A68B9F2059409046A7D8E90D664614079BAC2A483833E77FE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-CHT.exe</td><td class=\"sbody-td\">445074C533A9D46A5C1197EAA4DC158BACF2EAD3</td><td class=\"sbody-td\">E7DB3EB3C8F88C7B955792CCB05AF358F94F09FE3E3C7E170670E6FBB1CA9DCA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-CHT.exe</td><td class=\"sbody-td\">DDC119316CB284EC451F3E2AD18EB287DA10D026</td><td class=\"sbody-td\">C1C77D2127646B5E069716DC60EF26FCEEFB22391B39457DEF2E4920FCD5D881</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-CSY.exe</td><td class=\"sbody-td\">2A0A44B31F77197E2719ED4BD46309D47B27D220</td><td class=\"sbody-td\">07C169A5F07918E9D19763B638958109991EE9E310CD6C77F185A92A027F4759</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-CSY.exe</td><td class=\"sbody-td\">A338D95475B386F012E492E45D833A113B0E60F9</td><td class=\"sbody-td\">541F34C3845F6FACE17D5A0173BCCF4642B171DBC8FA158F598E874882920905</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-CSY.exe</td><td class=\"sbody-td\">CDE96397343717C51AB77D223E44E52FCB7779C0</td><td class=\"sbody-td\">AD17B589393F4437B0B46B4E5E12DEEE7EC40B254805A601E046F4332A766A3B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-DEU.exe</td><td class=\"sbody-td\">29CA04EE876D193DC683FC102BF423746416BCE1</td><td class=\"sbody-td\">DC9B5EB63F373F195EA9B1A773B62C853AD57365F1C272A88809701BBA0D1699</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-DEU.exe</td><td class=\"sbody-td\">A5885E0E73EAAFC574D91E8FB4B57F306863588A</td><td class=\"sbody-td\">3AEE6F7DCC11F9F8ABD8466CE32E821FC1F950B58317AFAB882FEC6A129136E7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-DEU.exe</td><td class=\"sbody-td\">DA524CE2A91CCE0629C1E6BDC438D0688C2D4C49</td><td class=\"sbody-td\">C27409D16EA9FBA16C13FA4C08C65DE36FD69749A744B5A221AA2381D089031E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-ENU.exe</td><td class=\"sbody-td\">09A02CCBDB7177DFC6D510BE8F06B498E06DFEC4</td><td class=\"sbody-td\">8EA0F15D296B95073B3349F0C9CC42F1ED8F2899FDC81CC084100E2D500921D8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-ENU.exe</td><td class=\"sbody-td\">112C98B39C06C02286FBF52CB11EAF0E5DC653A9</td><td class=\"sbody-td\">AEED509F040BCA5176E800F68DBB371FF45E19CB66745A247AD8CA187D1D4594</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-ENU.exe</td><td class=\"sbody-td\">B20AFD94C6F632CA52748ACF12DC99CD72D8DFC6</td><td class=\"sbody-td\">4C483FAEE6446C5619FA4FED49E23E474B6A7EF822F4C6F295207195EC7B3423</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-ESN.exe</td><td class=\"sbody-td\">2BFF21D110D4FA77C0276479D4D99C91E6B37CFD</td><td class=\"sbody-td\">7F8431432795C778844E1C55637C607570002AE6F47BD508F4E7FAC8FD427E3A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-ESN.exe</td><td class=\"sbody-td\">59E1BC1ACE750CEB964C4DD4CA6D507D240B79CC</td><td class=\"sbody-td\">78B257CE00F150F40ED8A6FC8F28D25BC35AE66E2C6BF6E0BE5F59EA3347BE09</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-ESN.exe</td><td class=\"sbody-td\">FB5D51503720EC5B7AD15D53A52E66AE5A4FC0A1</td><td class=\"sbody-td\">7A0AEB8EA97D7D7B1C08E7E3DFDDB8A334E552696DD2F4B1357AFC07234EF581</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-FRA.exe</td><td class=\"sbody-td\">4532B16C248D699E08E32632193892984FC6E621</td><td class=\"sbody-td\">FAEE433E42FEB7BDDF46125F242EC54C3DA722D3D4994BC778741E71D8ABCAE2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-FRA.exe</td><td class=\"sbody-td\">80EB4E7A98E7196CDC2C21CA924DF2083814ACF8</td><td class=\"sbody-td\">F43F3D15109A4556A938345DD378D876B4F03D40F6FF8F78C5CC6F7253739E54</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-FRA.exe</td><td class=\"sbody-td\">D26F190449C703BEE7866170F096171272338321</td><td class=\"sbody-td\">D6557B5E0D4FB19BD8508C319669DFB602D2332617E9E7018912C443F01139A4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-HUN.exe</td><td class=\"sbody-td\">42574ED7B49784BB8768F79A4A89E01A03711B28</td><td class=\"sbody-td\">CA7C9E444CE83743ACE517A785F6D3A36466E2C0B8BC968D9C6719CAD8E0136E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-HUN.exe</td><td class=\"sbody-td\">C63CD0D4BFEAFAA833B7777EDC5FC38FB695E33E</td><td class=\"sbody-td\">081BC44B0E284D5BFB3160C699769CEDA85396FA43961F4D61F334A0FEBB0D5A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-HUN.exe</td><td class=\"sbody-td\">E3E0A1CFF473A1F2A8D86F3E58DB23345A654F83</td><td class=\"sbody-td\">A5EDCDB621682F72F42DD0C999D20F3BC7AECAA61CEC5581F29C50E443CDA8D2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-ITA.exe</td><td class=\"sbody-td\">5908934979E6DE5F79F8BEAF0928623547364439</td><td class=\"sbody-td\">E2CF87139B85FBF8D3ADF3665484E8B47E30058200D5D01029799275900A6860</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-ITA.exe</td><td class=\"sbody-td\">6EAEC941678624F1E60BAA139EFFD95C03405744</td><td class=\"sbody-td\">D8C44176F1602DE630E2AC894471BCC2708E3D13D1F74AAFA422D1F6C6DB4641</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-ITA.exe</td><td class=\"sbody-td\">BB8FA9CE0256096F360401E34C308F72B52E49BB</td><td class=\"sbody-td\">05E3A8C281461C4BDF9BE50A89312B45C13EFD7F06DA097BC3541A5BD2FE36A4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-JPN.exe</td><td class=\"sbody-td\">1D46D159EFF96CB8805D8398B392244D67B1BDA4</td><td class=\"sbody-td\">3EBD56F4BD00675823B066F5CB55A7BD9AE60BC0EA0AFBA3BBC7FBDB5DAD6EE9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-JPN.exe</td><td class=\"sbody-td\">362E8ADC3D2B579BE8EEF879F884D809233483D6</td><td class=\"sbody-td\">3A8AFD49720DE895488ED5BC6AA596F908802FAD1882647402BB6DBDC6E68D53</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-JPN.exe</td><td class=\"sbody-td\">79056B8A2FACCC97B9353A4A4D718D72B8027C3B</td><td class=\"sbody-td\">D628C787600207C6742D850D55E7A49B7A56B2683FBE788FCBF7EDC3DD997868</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-KOR.exe</td><td class=\"sbody-td\">AEBD1876367DCFCC3F9323DC811E2B0A74F3691D</td><td class=\"sbody-td\">BD1A7521BC5468B3E0234973296009460422C9ADD7B8E4A0F08419B62330F606</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-KOR.exe</td><td class=\"sbody-td\">C9D5480FDE24D62B8FDF0E4FDC7C3324F08C2DD7</td><td class=\"sbody-td\">98EC03F61196A50BE02715C10C08FD516EE882DCA5481E8F7E65ACAF18384BDC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-KOR.exe</td><td class=\"sbody-td\">D3B38338EB9C18A00D3C9825496AEBAE8EB54686</td><td class=\"sbody-td\">D582E87F5E474F5619E66655C28246300F2373A31D36D4F23A47E4031E7DC2A7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-NLD.exe</td><td class=\"sbody-td\">4BF378C628084B3272AB11967BAD03EC7EE5EB8B</td><td class=\"sbody-td\">C8EA13D7CF4F88B94F1C8EA0772D5186951ACBC707B62D014A680779218A8F35</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-NLD.exe</td><td class=\"sbody-td\">A704C661A0D05A04F47645BA173DA5DA637DD2CF</td><td class=\"sbody-td\">808D26211E4AEEAF3A5D3A2771BE834010A5E571E06FF886A132D7E7EA73183F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-NLD.exe</td><td class=\"sbody-td\">DDD12B71A137020767719CCFE0C5E88A2888EEC9</td><td class=\"sbody-td\">43C5840EA3C5694C5A1E39D285F627AB7CAE238EF315E334A30D9FC9052CF32D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-PLK.exe</td><td class=\"sbody-td\">0B3608D436AB3098B83D12624EE3281B7841EAFE</td><td class=\"sbody-td\">E3799F4839E6B9153635EC9F74655AE7ABC7F62C9112152389CCFAAA20FE3DD0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-PLK.exe</td><td class=\"sbody-td\">207E5F9AF17BB912C5F455385388AAB799F8711A</td><td class=\"sbody-td\">91E8EE437589D2C9AFB4C328D8EDBF3DC7633E30530B6DADEEBC8CCC8EE76142</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-PLK.exe</td><td class=\"sbody-td\">8FA7BEEE6F3DEEC75C692A5E5648CEBC887D104D</td><td class=\"sbody-td\">649C0D802961B0545736F067D864D15FA8BD218545F72EA08F3B4AA3345FE717</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-PTB.exe</td><td class=\"sbody-td\">1B5A89B8ED7E28D9E6D36B0788D2399DE56630A3</td><td class=\"sbody-td\">763BE60C35FE054AD1C0AFC5D6057552CE30A89CC742C149DCF7487FDE340C30</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-PTB.exe</td><td class=\"sbody-td\">B8D4A2C8F983493B5D248BA69C2CAAB5072AE375</td><td class=\"sbody-td\">3A12A4DB6102200411DBA6CB06B6CD0C365826A1C562F7D9D19E10CC22AC59F0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-PTB.exe</td><td class=\"sbody-td\">BAB5ADB4CD631FBFFB6019D43076AB1219986147</td><td class=\"sbody-td\">A192C620F16BB740FC70EF7291AAA4B7CD654DEF0C4777F07811FF62B8C30A0D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-PTG.exe</td><td class=\"sbody-td\">7087AF395676B251F3FC51E347FC68111311DEB4</td><td class=\"sbody-td\">DE1888AAFB0ABC75BC5391EE3D14D6FF0AE2FC4B773C345EEA7D70B1685BB6C3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-PTG.exe</td><td class=\"sbody-td\">AFD912F254BCEAF161062CEDA7FFEB1489655178</td><td class=\"sbody-td\">A06ED5C6E54002F03F661C948E221C283F2F7D44D2BC220A7D8FCD7BED160693</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-PTG.exe</td><td class=\"sbody-td\">E1C5F01B23762BE47A695358854D288F0B17F3FE</td><td class=\"sbody-td\">9F13F235AEA48687A7AA97DA37EC7B6525702E2749F53DB94CE343021718DA80</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-RUS.exe</td><td class=\"sbody-td\">56800726898EEA88E7F0666F04592EE03ABE58D8</td><td class=\"sbody-td\">8FDA542AD3A6C54751C5C9471EB8CC10D9E0B7B73A68B2BE564CD2ABD8FDEAF0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-RUS.exe</td><td class=\"sbody-td\">CB4837D2EA8E921AB23504B8B0F11E5379CA3666</td><td class=\"sbody-td\">E681091DCBCD229CC33EA6F18D84DC27424AAB8FF9DE82C2FF05CADBB2790284</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-RUS.exe</td><td class=\"sbody-td\">D3048F4A0295A44B7C0A2536D653FD7237A52E55</td><td class=\"sbody-td\">4ABE10C7C18AF69368C10472D08008F0EE9854C6834E5603886F7617E7E2DCB2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-SVE.exe</td><td class=\"sbody-td\">6AE66A72608112E7EB8186957880D93FF012D226</td><td class=\"sbody-td\">E043F6B80599EB7E10903C509CA746553070845FE0049DE27628E3A332EF84C8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-SVE.exe</td><td class=\"sbody-td\">70E31E417CCAACD736AFB843629D98CC36C15216</td><td class=\"sbody-td\">9A7181BB207CC07CF47E0B27D44F241F413D0FA23CC4D2AD486B3C0C08941AA0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-SVE.exe</td><td class=\"sbody-td\">8289298D5B1F22A2B64B4B2643F345329100083D</td><td class=\"sbody-td\">438110FB5724E6927BA774C2139D077C1A7A6D336C5686C2FB9386AE477836C1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-TRK.exe</td><td class=\"sbody-td\">446FE0C951D6CAC03B0B9F4E66709E4262D73F3B</td><td class=\"sbody-td\">47AB3081C50E4965FB0B41EB8384D82471E7B9A86499D5D3F2C2DBBE2A04AF56</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-TRK.exe</td><td class=\"sbody-td\">BC0A7D06F75272D2297D0FF88F61D8E4DBC06788</td><td class=\"sbody-td\">B0E63C9F3FDA947EBA480F79BB92F3F3A86891B8FC8BE57657295656ED7F5882</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3032323-x86-TRK.exe</td><td class=\"sbody-td\">EF91506BD07EBB90787AFACF8CF5A3E8EC1D1B8C</td><td class=\"sbody-td\">178FC00A86DF316BDC2468BE38A24CA559F1A3DABC6875CA07ED5867C3D2B346</td></tr></table></div></div><br/></span></div></div></div></div></body></html>", "edition": 16, "modified": "2015-03-10T18:31:21", "id": "KB3032323", "href": "https://support.microsoft.com/en-us/help/3032323/", "published": "2015-03-10T00:00:00", "title": "MS15-021: Vulnerabilities in Adobe font driver could allow remote code execution: March 10, 2015", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:43:42", "description": "The remote Windows host is affected by the following vulnerabilities\nin the Adobe Font driver :\n\n - A flaw exists in the Adobe Font Driver due to improper\n allocation of memory. This allows a remote attacker,\n using a specially crafted font in a file or website, to\n cause a denial of service. (CVE-2015-0074)\n\n - Multiple flaws exist in the Adobe Font Driver that allow\n a remote attacker, using specially crafted fonts, to\n obtain sensitive information from kernel memory.\n (CVE-2015-0087, CVE-2015-0089)\n\n - Multiple flaws exist in the Adobe Font Driver due to\n improper validation of user-supplied input. A remote\n attacker can exploit this, using a specially crafted\n font in a file or website, to execute arbitrary code.\n (CVE-2015-0088, CVE-2015-0090, CVE-2015-0091,\n CVE-2015-0092, CVE-2015-0093)", "edition": 27, "published": "2015-03-10T00:00:00", "title": "MS15-021: Vulnerabilities in Adobe Font Driver Could Allow Remote Code Execution (3032323)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0090", "CVE-2015-0089", "CVE-2015-0092", "CVE-2015-0088", "CVE-2015-0093", "CVE-2015-0091", "CVE-2015-0074", "CVE-2015-0087"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS15-021.NASL", "href": "https://www.tenable.com/plugins/nessus/81736", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81736);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2015-0074\",\n \"CVE-2015-0087\",\n \"CVE-2015-0088\",\n \"CVE-2015-0089\",\n \"CVE-2015-0090\",\n \"CVE-2015-0091\",\n \"CVE-2015-0092\",\n \"CVE-2015-0093\"\n );\n script_bugtraq_id(\n 72892,\n 72893,\n 72896,\n 72898,\n 72904,\n 72905,\n 72906,\n 72907\n );\n script_xref(name:\"MSFT\", value:\"MS15-021\");\n script_xref(name:\"MSKB\", value:\"3032323\");\n\n script_name(english:\"MS15-021: Vulnerabilities in Adobe Font Driver Could Allow Remote Code Execution (3032323)\");\n script_summary(english:\"Checks the file version of atmfd.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Adobe Font driver on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities\nin the Adobe Font driver :\n\n - A flaw exists in the Adobe Font Driver due to improper\n allocation of memory. This allows a remote attacker,\n using a specially crafted font in a file or website, to\n cause a denial of service. (CVE-2015-0074)\n\n - Multiple flaws exist in the Adobe Font Driver that allow\n a remote attacker, using specially crafted fonts, to\n obtain sensitive information from kernel memory.\n (CVE-2015-0087, CVE-2015-0089)\n\n - Multiple flaws exist in the Adobe Font Driver due to\n improper validation of user-supplied input. A remote\n attacker can exploit this, using a specially crafted\n font in a file or website, to execute arbitrary code.\n (CVE-2015-0088, CVE-2015-0090, CVE-2015-0091,\n CVE-2015-0092, CVE-2015-0093)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-021\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for 2003, Vista, 2008, 7,\n2008 R2, 8, Windows RT, 2012, 8.1, Windows RT 8.1, and 2012 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS15-021';\nkb = '3032323';\n\nkbs = make_list(kb);\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\nif (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Some of the 2k3 checks could flag XP 64, which is unsupported\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows XP\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"atmfd.dll\", version:\"5.1.2.241\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 8 / Windows Server 2012\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"atmfd.dll\", version:\"5.1.2.241\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 7 and Windows Server 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"atmfd.dll\", version:\"5.1.2.241\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / Windows 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"atmfd.dll\", version:\"5.1.2.241\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"atmfd.dll\", version:\"5.2.2.241\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:00", "bulletinFamily": "software", "cvelist": ["CVE-2015-1635", "CVE-2015-0075", "CVE-2015-1624", "CVE-2015-0098", "CVE-2015-0100", "CVE-2015-1657", "CVE-2015-1666", "CVE-2015-0099", "CVE-2015-1643", "CVE-2015-1626", "CVE-2015-1652", "CVE-2015-1661", "CVE-2015-0079", "CVE-2015-0090", "CVE-2015-0076", "CVE-2015-0077", "CVE-2015-1647", "CVE-2015-1662", "CVE-2015-1634", "CVE-2015-1645", "CVE-2015-0005", "CVE-2015-0089", "CVE-2015-0084", "CVE-2015-1644", "CVE-2015-0092", "CVE-2015-0073", "CVE-2015-1625", "CVE-2015-1637", "CVE-2015-0088", "CVE-2015-0056", "CVE-2015-0078", "CVE-2015-1648", "CVE-2015-0093", "CVE-2015-1646", "CVE-2015-0091", "CVE-2015-1665", "CVE-2015-0032", "CVE-2015-1659", "CVE-2015-0080", "CVE-2015-1668", "CVE-2015-0074", "CVE-2015-1622", "CVE-2015-1623", "CVE-2015-0096", "CVE-2015-0081", "CVE-2015-1667", "CVE-2015-0087", "CVE-2015-1660"], "description": "Multiple Internet Explorer vulnerabilities, VBScript engine, graphics, HTTP.sys vulnerabilities, privilege escalation, code execution, restrictions bypass, information disclosure, DoS.", "edition": 1, "modified": "2015-04-16T00:00:00", "published": "2015-04-16T00:00:00", "id": "SECURITYVULNS:VULN:14384", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14384", "title": "Microsoft Windows multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}