Cyber Resilience

CVE-2015-1671

HighCISA KEVActive ExploitationEUVD Exploited

Published: 13 May 2015

Published
13 May 2015
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8803 99.5th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-1671 is a high-severity an unspecified weakness vulnerability in Microsoft .Net Framework. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is a TrueType font parsing flaw in the Windows DirectWrite library that can result in arbitrary code execution. It affects Microsoft .NET Framework 3.0 SP2 through 4.5.2, Office 2007 SP3 and 2010 SP2, Live Meeting 2007 Console, multiple Lync 2010/2013 versions, and Silverlight 5 releases prior to 5.1.40416.00, including the corresponding Developer Runtime.

Remote attackers can exploit the issue by supplying a crafted TrueType font, for example through documents or web content processed by the affected components. Successful exploitation grants the ability to execute arbitrary code in the context of the current user, with a CVSS 3.1 base score of 7.8 reflecting the requirement for user interaction.

Microsoft security bulletin MS15-044 addresses the vulnerability and supplies patches for the listed products; the associated SecurityFocus and SecurityTracker entries reference the same advisory for further details on updates. No information on observed in-the-wild exploitation is provided in the source references.

EU & UK References

Vulnerability details

The Windows DirectWrite library, as used in Microsoft .NET Framework 3.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2; Office 2007 SP3 and 2010 SP2; Live Meeting 2007 Console; Lync 2010; Lync 2010 Attendee; Lync 2013 SP1; Lync Basic 2013…

more

SP1; Silverlight 5 before 5.1.40416.00; and Silverlight 5 Developer Runtime before 5.1.40416.00, allows remote attackers to execute arbitrary code via a crafted TrueType font, aka "TrueType Font Parsing Vulnerability."

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
.net framework
3.0, 3.5, 3.5.1, 4.0, 4.5
microsoft
live meeting
2007
microsoft
lync
2010, 2013
microsoft
silverlight
5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the MS15-044 patches that correct the TrueType font parsing flaw in DirectWrite.

prevent

Mandates validation of untrusted font data before processing, which would block the crafted TrueType structures used for code execution.

preventdetect

Requires malicious-code detection mechanisms capable of inspecting or blocking documents and web content containing weaponized fonts.

References