Microsoft Graphics Remote Code Execution Vulnerability

2016-12-13T08:00:00
ID MS:CVE-2016-7256
Type mscve
Reporter Microsoft
Modified 2016-12-13T08:00:00

Description

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

There are multiple ways an attacker could exploit the vulnerability:

  • In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website, or by opening an attachment sent through email.
  • In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability and then convince users to open the document file.

The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.

Rename ATMFD.DLL For 32-bit systems:

  1. Enter the following commands at an administrative command prompt: cd "%windir%\system32" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll
  2. Restart the system.

For 64-bit systems:

  1. Enter the following commands at an administrative command prompt: cd "%windir%\system32" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll cd "%windir%\syswow64" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll
  2. Restart the system.

Optional procedure for Windows 8 and later operating systems (disable ATMFD): Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Method 1 (manually edit the system registry):

  1. Run regedit.exe as Administrator.
  2. In Registry Editor, navigate to the following sub key (or create it) and set its DWORD value to 1: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD, DWORD = 1
  3. Close Registry Editor and restart the system.

Method 2 (use a managed deployment script):

  1. Create a text file named ATMFD-disable.reg that contains the following text:

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DisableATMFD"=dword:00000001
    
  2. Run regedit.exe.

  3. In Registry Editor, click the File menu and then click Import.
  4. Navigate to and select the ATMFD-disable.reg file that you created in the first step. (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog’s file extension parameters to All Files).
  5. Click Open and then click OK to close Registry Editor.

Impact of workaround. Applications that rely on embedded font technology will not display properly. Disabling ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.

How to undo the workaround. For 32-bit systems:

  1. Enter the following commands at an administrative command prompt:

    cd "%windir%\system32"
    rename x-atmfd.dll atmfd.dll
    icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"
    icacls.exe . /restore atmfd.dll.acl
    
  2. Restart the system.

For 64-bit systems:

  1. Enter the following commands at an administrative command prompt:

    cd "%windir%\system32"
    rename x-atmfd.dll atmfd.dll
    icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"
    icacls.exe . /restore atmfd.dll.acl
    cd "%windir%\syswow64"
    rename x-atmfd.dll atmfd.dll
    icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"
    icacls.exe . /restore atmfd.dll.acl
    
  2. Restart the system.

Optional procedure for Windows 8 and later operating systems (enable ATMFD): Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Method 1 (manually edit the system registry):

  1. Run regedit.exe as Administrator.
  2. In Registry Editor, navigate to the following sub key and set its DWORD value to 0: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD, DWORD = 0
  3. Close Registry Editor and restart the system.

Method 2 (use a managed deployment script):

  1. Create a text file named ATMFD-enable.reg that contains the following text:

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DisableATMFD"=dword:00000000
    
  2. Run regedit.exe.

  3. In Registry Editor, click the File menu and then click Import.
  4. Navigate to and select the ATMFD-enable.reg file that you created in the first step. (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog’s file extension parameters to All Files).
  5. Click Open and then click OK to close Registry Editor.