What Is TrueType Font Parsing in Windows?
TrueType is the dominant font format used on Windows and macOS systems. Windows includes a shared font rendering subsystem (in GDI and DWrite) that parses TrueType font files when they are loaded — whether by applications displaying text, by documents embedding custom fonts, or by the OS rendering desktop elements. Because font parsing happens in a shared library used by virtually every application, a vulnerability in TrueType parsing can be exploited through multiple delivery vectors: malicious documents, web pages with embedded fonts, or specially crafted font files.
TrueType font vulnerabilities have a long history in Windows security — Microsoft has patched dozens over the years. The same parsing engine is shared across Windows, Office, .NET, Lync, and Silverlight, making font vulnerabilities cross-product in scope.
Overview
CVE-2015-1671 is a remote code execution vulnerability in Microsoft's TrueType font rendering engine that affects Windows, .NET Framework, Office, Lync, and Silverlight. When one of these components processes a maliciously crafted TrueType font, a memory corruption condition enables arbitrary code execution. The wide scope of affected products reflects the shared font rendering library. Patched in MS15-044 (May 12, 2015).
Affected Versions
| Product | Status |
|---|---|
| Windows Vista / Server 2008 | Vulnerable |
| Windows 7 / Server 2008 R2 | Vulnerable |
| Windows 8 / 8.1 / Server 2012 / 2012 R2 | Vulnerable |
| Windows RT / RT 8.1 | Vulnerable |
| .NET Framework 3.5, 3.5.1, 4, 4.5, 4.5.1, 4.5.2 | Vulnerable |
| Office 2007 / 2010 (Mac & Windows) | Vulnerable |
| Lync 2010 / 2013 | Vulnerable |
| Silverlight 5 | Vulnerable |
Systems patched with MS15-044 are not vulnerable.
Technical Details
Root Cause: Memory Corruption in TrueType Font Processing
TrueType font files contain tables with metrics, glyph outlines, hinting instructions, and metadata. The Windows font parsing engine reads these tables and builds internal data structures used for rendering. CVE-2015-1671 involves a memory corruption flaw — buffer overflow or similar out-of-bounds write (CWE-119) — when processing a malformed TrueType table.
The corruption overwrites adjacent memory in a way that can be leveraged for arbitrary code execution. Because the font engine runs in the context of the application loading the font (not a separate process), the code execution occurs at the privilege level of the affected application.
Cross-Product Scope
The same underlying TrueType parsing code is shared among Windows GDI, .NET, Office, Lync, and Silverlight — meaning the vulnerability is exploitable via any of these paths:
- Web browser (via Silverlight or Web fonts): visiting a page with a malicious embedded font
- Office document: opening a document with an embedded malicious font
- Lync/Teams: receiving content with embedded font via instant messaging
- Any application: loading a malicious
.ttffile
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Local — malicious document or file with embedded font |
| User Interaction | Required (open document or trigger font load) |
| Affected Scope | Windows, Office, .NET, Lync, Silverlight |
| CWE | CWE-119: Buffer Overflow |
| Bulletin | MS15-044 (May 2015) |
Discovery
Reported to Microsoft and patched in MS15-044 (May 2015 Patch Tuesday), which addressed multiple TrueType and OpenType font processing vulnerabilities across Microsoft products.
Exploitation Context
- Document-based delivery: Malicious Office documents or PDF files with embedded TrueType fonts serve as the primary attack vector — opening the document triggers font parsing and exploits the vulnerability
- APT and targeted attacks: TrueType font vulnerabilities are attractive to APT groups because they work across multiple applications and bypass application-specific mitigations; the broad product scope increases the likelihood that at least one delivery vector works against a given target
- Exploit kit integration: Font-based RCE vulnerabilities were integrated into browser exploit kits as Silverlight attack vectors during the period when Silverlight was still widely installed
- CISA KEV (2022): Added May 2022
Remediation
-
Apply MS15-044 (May 2015). Any system current with Windows Update after May 2015 includes this fix.
-
Keep all Microsoft products updated — because this vulnerability spans Windows, Office, .NET, Lync, and Silverlight, patching only one product is insufficient if others remain unpatched.
-
Uninstall Silverlight — Silverlight reached end-of-life October 12, 2021. Remove it from all systems to eliminate that attack vector.
-
Enable Office Protected View — sandboxes externally received documents and prevents automatic font loading from triggering vulnerabilities.
-
Use Group Policy to disable font installation — prevents unprivileged users from installing custom fonts that could trigger font parsing vulnerabilities.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2015-1671 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2015-05-13 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer find similar ↗ |
| CISA KEV Added | 2022-05-25 |
| CISA KEV Deadline | 2022-06-15 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2015-05-12 | Microsoft Security Bulletin MS15-044 released; CVE-2015-1671 patched |
| 2015-05-13 | CVE-2015-1671 published by NVD |
| 2022-05-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-06-15 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2015-1671 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Bulletin MS15-044 — Vulnerabilities in Microsoft Font Drivers Could Allow Remote Code Execution | Vendor Advisory |