Zero-day vulnerability in Windows

Memory Corruption

The vulnerability started to appear on the radar in June 2016 as it was used in "low-volume attacks primarily focused on targets in South Korea". A successful attack exploited a flaw in the Windows font library to elevate privileges, and to install a backdoor on target systems called Hankray.

Known malware:

Trojan Horse Exp.CVE-2016-7256.

Vulnerability details

Advisory: SB2016110906 - Multiple vulnerabilities in Microsoft Graphics Component

Vulnerable component: Windows

CVE-ID: CVE-2016-7256

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-119 - Memory corruption


A remote attacker can execute arbitrary code on the target system.

The vulnerability exists due to incorrect handling of objects in memory in Windows font library when processing Open Type fonts. A remote attacker can create a specially crafted font file and cause memory corruption.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on vulnerable system with privileges of the current user.

Note: this vulnerability is being actively exploited in the wild.