Microsoft Security Bulletin MS15-080 - Critical

Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3078662)

Published: August 11, 2015 | Updated: October 7, 2015

Version: 2.2

Executive Summary

This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType or OpenType fonts.

This security update is rated Critical for supported releases of Microsoft Windows and all affected editions of Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by correcting how:

  • The Windows Adobe Type Manager Library handles OpenType fonts
  • The Windows DirectWrite library handles TrueType fonts.
  • Office handles OGL fonts
  • The Windows kernel handles memory addresses
  • User processes are terminated upon logoff
  • Windows validates impersonation levels
  • The Windows shell validates impersonation levels

For more information about the vulnerabilities, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3078662.

Affected Software and Vulnerability Severity Ratings

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the August bulletin summary.

Microsoft Windows - Table 1 of 3

Operating System OpenType Font Parsing Vulnerability - CVE-2015-2432 OpenType Font Parsing Vulnerability - CVE-2015-2458 OpenType Font Parsing Vulnerability - CVE-2015-2459 OpenType Font Parsing Vulnerability - CVE-2015-2460 OpenType Font Parsing Vulnerability - CVE-2015-2461 OpenType Font Parsing Vulnerability - CVE-2015-2462 Updates Replaced
Windows Vista
Windows Vista Service Pack 2 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Vista x64 Edition Service Pack 2 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008
Windows Server 2008 for 32-bit Systems Service Pack 2 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008 for x64-based Systems Service Pack 2 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008 for Itanium-based Systems Service Pack 2 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 7
Windows 7 for 32-bit Systems Service Pack 1 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 7 for x64-based Systems Service Pack 1 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 8 and Windows 8.1
Windows 8 for 32-bit Systems (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 8 for x64-based Systems (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 8.1 for 32-bit Systems (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 8.1 for x64-based Systems (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2012 R2 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows RT and Windows RT 8.1
Windows RT[1](3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows RT 8.1[1](3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 10
Windows 10 for 32-bit Systems[2](3081436) Not applicable Critical  Remote Code Execution Critical  Remote Code Execution Not applicable Critical  Remote Code Execution Critical  Remote Code Execution Not applicable
Windows 10 for x64-based Systems[2](3081436) Not applicable Critical  Remote Code Execution Critical  Remote Code Execution Not applicable Critical  Remote Code Execution Critical  Remote Code Execution Not applicable
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2012 (Server Core installation) (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2012 R2 (Server Core installation) (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078

[1]This update is available via Windows Update only.

[2]The Windows 10 update is cumulative. In addition to containing non-security updates, it also contains all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with this month’s security release. The update is available via the Windows Update Catalog only. See Microsoft Knowledge Base Article 3081436 for more information and download links.

*The Updates Replaced column shows only the latest update in a chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is on the Package Details tab).

Microsoft Windows - Table 2 of 3

Operating System TrueType Font Parsing Vulnerability - CVE-2015-2435 TrueType Font Parsing Vulnerability - CVE-2015-2455 TrueType Font Parsing Vulnerability - CVE-2015-2456 TrueType Font Parsing Vulnerability - CVE-2015-2463 TrueType Font Parsing Vulnerability - CVE-2015-2464 Updates Replaced
Windows Vista
Windows Vista Service Pack 2 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Vista x64 Edition Service Pack 2 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008
Windows Server 2008 for 32-bit Systems Service Pack 2 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008 for x64-based Systems Service Pack 2 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008 for Itanium-based Systems Service Pack 2 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 7
Windows 7 for 32-bit Systems Service Pack 1 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 7 for x64-based Systems Service Pack 1 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 8 and Windows 8.1
Windows 8 for 32-bit Systems (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 8 for x64-based Systems (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 8.1 for 32-bit Systems (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 8.1 for x64-based Systems (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2012 R2 (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows RT and Windows RT 8.1
Windows RT[1](3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows RT 8.1[1](3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows 10
Windows 10 for 32-bit Systems[2](3081436) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable None
Windows 10 for x64-based Systems[2](3081436) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable None
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2012 (Server Core installation) (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078
Windows Server 2012 R2 (Server Core installation) (3078601) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3079904 in MS15-078

[1]This update is available via Windows Update only.

[2]The Windows 10 update is cumulative. In addition to containing non-security updates, it also contains all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with this month’s security release. The update is available via the Windows Update Catalog only. See Microsoft Knowledge Base Article 3081436 for more information and download links.

*The Updates Replaced column shows only the latest update in a chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is on the Package Details tab).

Microsoft Windows - Table 3 of 3

Affected Software Kernel ASLR Bypass Vulnerability - CVE-2015-2433 Windows CSRSS Elevation of Privilege Vulnerability - CVE-2015-2453 Windows KMD Security Feature Bypass Vulnerability - CVE-2015-2454 Windows Shell Security Feature Bypass Vulnerability - CVE-2015-2465 Updates Replaced
Windows Vista
Windows Vista Service Pack 2 (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows Vista x64 Edition Service Pack 2 (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows Server 2008
Windows Server 2008 for 32-bit Systems Service Pack 2 (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows Server 2008 for x64-based Systems Service Pack 2 (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows Server 2008 for Itanium-based Systems Service Pack 2 (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows 7
Windows 7 for 32-bit Systems Service Pack 1 (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows 7 for x64-based Systems Service Pack 1 (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows 8 and Windows 8.1
Windows 8 for 32-bit Systems (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows 8 for x64-based Systems (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows 8.1 for 32-bit Systems (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows 8.1 for x64-based Systems (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012 (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows Server 2012 R2 (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows RT and Windows RT 8.1
Windows RT[1](3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows RT 8.1[1](3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows 10
Windows 10 for 32-bit Systems[2](3081436) Important  Security Feature Bypass Not applicable Not applicable Important  Security Feature Bypass None
Windows 10 for x64-based Systems[2](3081436) Important  Security Feature Bypass Not applicable Not applicable Important  Security Feature Bypass None
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows Server 2012 (Server Core installation) (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078
Windows Server 2012 R2 (Server Core installation) (3078601) Important  Security Feature Bypass Important  Elevation of Privilege Important  Elevation of Privilege Important  Security Feature Bypass 3079904 in MS15-078

[1]This update is available via Windows Update only.

[2]The Windows 10 update is cumulative. In addition to containing non-security updates, it also contains all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with this month’s security release. The update is available via the Windows Update Catalog only. See Microsoft Knowledge Base Article 3081436 for more information and download links.

*The Updates Replaced column shows only the latest update in a chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is on the Package Details tab).

Microsoft .NET Framework

Operating System **Component                                                            ** OpenType Font Parsing Vulnerability - CVE-2015-2460 OpenType Font Parsing Vulnerability - CVE-2015-2462 TrueType Font Parsing Vulnerability - CVE-2015-2455 TrueType Font Parsing Vulnerability - CVE-2015-2456 TrueType Font Parsing Vulnerability - CVE-2015-2463 TrueType Font Parsing Vulnerability - CVE-2015-2464 Updates Replaced
Windows Vista
Windows Vista Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 (3072303) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 2861190 in MS13-082 and 3048068 in MS15-044
Windows Vista Service Pack 2 Microsoft .NET Framework 4[1](3072309) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048074 in MS15-044
Windows Vista Service Pack 2 Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3072310) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048077 in MS15-044
Windows Vista Service Pack 2 Microsoft .NET Framework 4.6 (3072311) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048077 in MS15-044
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 (3072303) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 2861190 in MS13-082 and 3048068 in MS15-044
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 4[1](3072309) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048074 in MS15-044
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3072310) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048077 in MS15-044
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 4.6 (3072311) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048077 in MS15-044
Windows Server 2008
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 (3072303) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 2861190 in MS13-082 and 3048068 in MS15-044
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 4[1](3072309) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048074 in MS15-044
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3072310) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048077 in MS15-044
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 4.6 (3072311) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048077 in MS15-044
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 (3072303) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 2861190 in MS13-082 and 3048068 in MS15-044
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 4[1](3072309) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048074 in MS15-044
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3072310) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048077 in MS15-044
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 4.6 (3072311) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048077 in MS15-044
Windows 7
Windows 7 for 32-bit Systems Service Pack 1 Microsoft .NET Framework 3.5.1 (3072305) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048070 in MS15-044
Windows 7 for x64-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1 (3072305) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048070 in MS15-044
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1 (3072305) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048070 in MS15-044
Windows 8 and Windows 8.1
Windows 8 for 32-bit Systems Microsoft .NET Framework 3.5 (3072306) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048071 in MS15-044
Windows 8 for x64-based Systems Microsoft .NET Framework 3.5 (3072306) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048071 in MS15-044
Windows 8.1 for 32-bit Systems Microsoft .NET Framework 3.5 (3072307) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048072 in MS15-044
Windows 8.1 for x64-based Systems Microsoft .NET Framework 3.5 (3072307) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048072 in MS15-044
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012 Microsoft .NET Framework 3.5 (3072306) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048071 in MS15-044
Windows Server 2012 R2 Microsoft .NET Framework 3.5 (3072307) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048072 in MS15-044
Windows 10
Windows 10 for 32-bit Systems Microsoft .NET Framework 3.5[2](3081436) Not applicable Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable None
Windows 10 for 64-bit Systems Microsoft .NET Framework 3.5[2](3081436) Not applicable Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable None
Server Core installation option
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Microsoft .NET Framework 3.5.1 (3072305) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048070 in MS15-044
Windows Server 2012 (Server Core installation) Microsoft .NET Framework 3.5 (3072306) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048071 in MS15-044
Windows Server 2012 R2 (Server Core installation) Microsoft .NET Framework 3.5 (3072307) Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution Critical  Remote Code Execution 3048072 in MS15-044

[1].NET Framework 4 and .NET Framework 4 Client Profile affected.

[2] The Windows 10 update is cumulative. In addition to containing non-security updates, it also contains all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with this month’s security release. The update is available via the Windows Update Catalog only. See Microsoft Knowledge Base Article 3081436 for more information and download links.

Note Updates are also available for Microsoft .NET Framework 4.6 RC, which are available via the Microsoft Download Center and Windows Update.

*The Updates Replaced column shows only the latest update in a chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is on the Package Details tab).

Microsoft Office

Office Software Microsoft Office Graphics Component Remote Code Execution Vulnerability - CVE-2015-2431 TrueType Font Parsing Vulnerability - CVE-2015-2435 TrueType Font Parsing Vulnerability - CVE-2015-2455 TrueType Font Parsing Vulnerability - CVE-2015-2456 TrueType Font Parsing Vulnerability - CVE-2015-2463 TrueType Font Parsing Vulnerability - CVE-2015-2464 Updates Replaced
Microsoft Office 2007 Service Pack 3\ (3054890) Important \ Remote Code Execution Important \ Remote Code Execution Important \ Remote Code Execution Important \ Remote Code Execution Important \ Remote Code Execution Important \ Remote Code Execution 2883029 in MS15-044
Microsoft Office 2010 Service Pack 2\ (32-bit editions)\ (3054846) Important \ Remote Code Execution Important \ Remote Code Execution Important \ Remote Code Execution Important \ Remote Code Execution Important \ Remote Code Execution Important \ Remote Code Execution 2881073 in MS15-044
Microsoft Office 2010 Service Pack 2\ (64-bit editions)\ (3054846) Important \ Remote Code Execution Important \ Remote Code Execution Important \ Remote Code Execution Important \ Remote Code Execution Important \ Remote Code Execution Important \ Remote Code Execution 2881073 in MS15-044

Microsoft Communications Platforms and Software

Software Microsoft Office Graphics Component Remote Code Execution Vulnerability - CVE-2015-2431 TrueType Font Parsing Vulnerability - CVE-2015-2435 TrueType Font Parsing Vulnerability - CVE-2015-2455 TrueType Font Parsing Vulnerability - CVE-2015-2456 TrueType Font Parsing Vulnerability - CVE-2015-2463 TrueType Font Parsing Vulnerability - CVE-2015-2464 Updates Replaced
Microsoft Live Meeting 2007 Console[1]\ (3075591) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution 3051467 in MS15-044
Microsoft Lync 2010 (32-bit)\ (3075593) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution 3051464 in MS15-044
Microsoft Lync 2010 (64-bit)\ (3075593) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution 3051464 in MS15-044
Microsoft Lync 2010 Attendee[1]\ (user level install)\ (3075592) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution 3051465 in MS15-044
Microsoft Lync 2010 Attendee\ (admin level install)\ (3075590) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution 3051466 in MS15-044
Microsoft Lync 2013 Service Pack 1 (32-bit)[2]\ (Skype for Business)\ (3055014) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution See Update FAQ for prerequisite updates.
Microsoft Lync Basic 2013 Service Pack 1 (32-bit)[2]\ (Skype for Business Basic)\ (3055014) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution See Update FAQ for prerequisite updates.
Microsoft Lync 2013 Service Pack 1 (64-bit)[2]\ (Skype for Business)\ (3055014) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution See Update FAQ for prerequisite updates.
Microsoft Lync Basic 2013 Service Pack 1 (64-bit)[2]\ (Skype for Business Basic)\ (3055014) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution See Update FAQ for prerequisite updates.

[1]This update is available from the Microsoft Download Center only.

[2]Before installing this update, you must have update 2965218 and security update 3039779 installed. See the Update FAQ for more information.

Microsoft Developer Tools and Software

Software TrueType Font Parsing Vulnerability - CVE-2015-2435 TrueType Font Parsing Vulnerability - CVE-2015-2455 TrueType Font Parsing Vulnerability - CVE-2015-2456 TrueType Font Parsing Vulnerability - CVE-2015-2463 TrueType Font Parsing Vulnerability - CVE-2015-2464 Updates Replaced
Microsoft Silverlight 5 when installed on Mac\ (3080333) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution 3056819 in MS15-044
Microsoft Silverlight 5 Developer Runtime when installed on Mac\ (3080333) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution 3056819 in MS15-044
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows clients\ (3080333) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution 3056819 in MS15-044
Microsoft Silverlight 5 Developer Runtime when installed on all supported releases of Microsoft Windows clients\ (3080333) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution 3056819 in MS15-044
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows servers\ (3080333) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution 3056819 in MS15-044
Microsoft Silverlight 5 Developer Runtime when installed on all supported releases of Microsoft Windows servers\ (3080333) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution 3056819 in MS15-044

Update FAQ

There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Affected Software table for the software?
Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.

How do I determine which version of Microsoft .NET Framework is installed? 
You can install and run multiple versions of .NET Framework on a system, and you can install the versions in any order. For more information, see Microsoft Knowledge Base Article 318785.

What is the difference between .NET Framework 4 and .NET Framework 4 Client Profile?
The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. The .NET Framework 4 Client Profile is a subset of the .NET Framework 4 profile that is optimized for client applications. It provides functionality for most client applications, including Windows Presentation Foundation (WPF), Windows Forms, Windows Communication Foundation (WCF), and ClickOnce features. This enables faster deployment and a smaller install package for applications that target the .NET Framework 4 Client Profile. For more information, see the MSDN article, .NET Framework Client Profile

Do I need to install these security updates in a particular sequence?
No. Multiple updates for a given system can be applied in any sequence.

I am running Office 2010, which is listed as affected software. Why am I not being offered the 3054846 update?
The 3054846 update is not applicable to Office 2010 on Windows Vista and later versions of Windows because the vulnerable code is not present.

I am being offered this update for software that is not specifically indicated as being affected in the Affected Software and Vulnerability Severity Ratings table. Why am I being offered this update?
When updates address vulnerable code that exists in a component that is shared between multiple Microsoft Office products or shared between multiple versions of the same Microsoft Office product, the update is considered to be applicable to all supported products and versions that contain the vulnerable component.

For example, when an update applies to Microsoft Office 2007 products, only Microsoft Office 2007 may be specifically listed in the Affected Software table. However, the update could apply to Microsoft Word 2007, Microsoft Excel 2007, Microsoft Visio 2007, Microsoft Compatibility Pack, Microsoft Excel Viewer, or any other Microsoft Office 2007 product that is not specifically listed in the Affected Software table. Furthermore, when an update applies to Microsoft Office 2010 products, only Microsoft Office 2010 may be specifically listed in the Affected Software table. However, the update could apply to Microsoft Word 2010, Microsoft Excel 2010, Microsoft Visio 2010, Microsoft Visio Viewer, or any other Microsoft Office 2010 product that is not specifically listed in the Affected Software table.

For more information on this behavior and recommended actions, see Microsoft Knowledge Base Article 830335. For a list of Microsoft Office products an update may apply to, refer to the Microsoft Knowledge Base Article associated with the specific update.

Are there any prerequisites for any of the updates offered in this bulletin for affected editions of Microsoft Lync 2013 (Skype for Business)?
Yes. Customers running affected editions of Microsoft Lync 2013 (Skype for Business) must first install the 2965218 update for Office 2013 released in April, 2015, and then the 3039779 security update released in May, 2015. For more information about these two prerequisite updates, see:

Are there any related non-security updates that customers should install along with the Microsoft Live Meeting Console security update? 
Yes, in addition to releasing a security update for Microsoft Live Meeting Console, Microsoft has released the following non-security updates for the OCS Conferencing Addin for Outlook. Where applicable, Microsoft recommends that customers install these updates to keep their systems up-to-date:

  • OCS Conferencing Addin for Outlook (32-bit) (3079743)
  • OCS Conferencing Addin for Outlook (64-bit) (3079743)

See Microsoft Knowledge Base Article 3079743 for more information.

Why is the Lync 2010 Attendee (user level install) update only available from the Microsoft Download Center? 
Microsoft is releasing the update for Lync 2010 Attendee (user level install) to the Microsoft Download Center only. Because the user level installation of Lync 2010 Attendee is handled through a Lync session, distribution methods such as automatic updating are not appropriate for this type of installation scenario.

Which web browsers support Microsoft Silverlight applications?
To be able to run Microsoft Silverlight applications, most web browsers, including Microsoft Internet Explorer, require Microsoft Silverlight to be installed and the corresponding plug-in to be enabled. For more information about Microsoft Silverlight, see the official site, Microsoft Silverlight. Please refer to the documentation of your browser to learn more about how to disable or remove plug-ins.

What versions of Microsoft Silverlight 5 are affected by the vulnerability?
Microsoft Silverlight build 5.1.40728, which was the current build of Microsoft Silverlight as of when this bulletin was first released, addresses the vulnerability and is not affected. Builds of Microsoft Silverlight previous to 5.1.40728 are affected.

How do I know which version and build of Microsoft Silverlight is currently installed on my system? 
If Microsoft Silverlight is already installed on your computer, you can visit the Get Microsoft Silverlight page, which will indicate which version and build of Microsoft Silverlight is currently installed on your system. Alternatively, you can use the Manage Add-Ons feature of current versions of Microsoft Internet Explorer to determine the version and build information that is currently installed on your system.

You can also manually check the version number of sllauncher.exe located in the “%ProgramFiles%\Microsoft Silverlight” directory (on x86 Microsoft Windows systems) or in the “%ProgramFiles(x86)%\Microsoft Silverlight” directory (on x64 Microsoft Windows systems).

In addition, on Microsoft Windows, the version and build information of the currently installed version of Microsoft Silverlight can be found in the registry at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Silverlight]:Version on x86 Microsoft Windows systems, or [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight]:Version on x64 Microsoft Windows systems.

On Apple Mac OS, the version and build information of the currently installed version of Microsoft Silverlight can be found as follows:

  1. Open the Finder
  2. Select the system drive and go to the folder Internet Plug-ins - Library
  3. Right-click the file Silverlight.Plugin (if your mouse has only one button, press the Ctrl key while clicking on the file) to bring up the context menu, then click Show Package Contents
  4. Inside the contents folder, locate the file info.plist and open it with an editor. It will contain an entry like this, which shows you the version number:
    SilverlightVersion
    5.1.40728

The version installed with this security update for Microsoft Silverlight 5 is 5.1.40728. If your Microsoft Silverlight 5 version number is higher than or equal to this version number, your system is not vulnerable.

How do I upgrade my version of Microsoft Silverlight? 
The Microsoft Silverlight auto-update feature helps make sure that your Microsoft Silverlight installation is kept up to date with the latest version of Microsoft Silverlight, Microsoft Silverlight functionality, and security features. For more information about the Microsoft Silverlight auto-update feature, see the Microsoft Silverlight Updater. Windows users who have disabled the Microsoft Silverlight auto-update feature can enroll in Microsoft Update to obtain the latest version of Microsoft Silverlight, or can download the latest version of Microsoft Silverlight manually using the download link in the Affected Software table in the earlier section, Affected and Non-Affected Software. For information about deploying Microsoft Silverlight in an enterprise environment, see the Silverlight Enterprise Deployment Guide.

Will this update upgrade my version of Silverlight? 
The 3080333 update upgrades previous versions of Silverlight to Silverlight version 5.1.40728. Microsoft recommends upgrading to be protected against the vulnerability described in this bulletin.

Where can I find additional information about the Silverlight product lifecycle?
For lifecycle information specific to Silverlight, see the Microsoft Silverlight Support Lifecycle Policy.

Vulnerability Information

Multiple OpenType Font Parsing Vulnerabilities

Remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited these vulnerabilities could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerabilities, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerabilities by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.

The following tables contain links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title CVE number Publicly disclosed Exploited
OpenType Font Parsing Vulnerability CVE-2015-2432 No No
OpenType Font Parsing Vulnerability CVE-2015-2458 No No
OpenType Font Parsing Vulnerability CVE-2015-2459 No No
OpenType Font Parsing Vulnerability CVE-2015-2460 No No
OpenType Font Parsing Vulnerability CVE-2015-2461 No No
OpenType Font Parsing Vulnerability CVE-2015-2462 No No

Mitigating Factors

Microsoft has not identified any mitigating factors for these vulnerabilities.

Workarounds

The following workarounds may be helpful in your situation:

  • Rename ATMFD.DLL

    For 32-bit systems:

    1. Enter the following commands at an administrative command prompt:

      cd "%windir%\system32"  
      takeown.exe /f atmfd.dll
      icacls.exe atmfd.dll /save atmfd.dll.acl  
      icacls.exe atmfd.dll /grant Administrators:(F)  
      rename atmfd.dll x-atmfd.dll
      
    2. Restart the system.

    For 64-bit systems:

    1. Enter the following commands at an administrative command prompt:

      cd "%windir%\system32" 
      takeown.exe /f atmfd.dll  
      icacls.exe atmfd.dll /save atmfd.dll.acl
      icacls.exe atmfd.dll /grant Administrators:(F)
      rename atmfd.dll x-atmfd.dll
      cd "%windir%\syswow64"
      takeown.exe /f atmfd.dll
      icacls.exe atmfd.dll /save atmfd.dll.acl  
      icacls.exe atmfd.dll /grant Administrators:(F)  
      rename atmfd.dll x-atmfd.dll
      
    2. Restart the system.

    Optional procedure for Windows 8 and later operating systems (disable ATMFD):

    Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

    Method 1 (manually edit the system registry):

    1. Run regedit.exe as Administrator.

    2. In Registry Editor, navigate to the following sub key (or create it) and set its DWORD value to 1:

      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD, DWORD = 1

    3. Close Registry Editor and restart the system.

    Method 2 (use a managed deployment script):

    1. Create a text file named ATMFD-disable.reg that contains the following text:

      Windows Registry Editor Version 5.00  
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]  
      "DisableATMFD"=dword:00000001
      
    2. Run regedit.exe.

    3. In Registry Editor, click the File menu and then click Import.

    4. Navigate to and select the ATMFD-disable.reg file that you created in the first step.
      (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog’s file extension parameters to All Files).

    5. Click Open and then click OK to close Registry Editor.

    Impact of workaround. Applications that rely on embedded font technology will not display properly. Disabling ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.

    How to undo the workaround.

    For 32-bit systems:

    1. Enter the following commands at an administrative command prompt:

      cd "%windir%\system32"
      rename x-atmfd.dll atmfd.dll  
      icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"  
      icacls.exe . /restore atmfd.dll.acl
      
    2. Restart the system.

    For 64-bit systems:

    1. Enter the following commands at an administrative command prompt:

      cd "%windir%\system32"  
      rename x-atmfd.dll atmfd.dll  
      icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"  
      icacls.exe . /restore atmfd.dll.acl  
      cd "%windir%\syswow64"  
      rename x-atmfd.dll atmfd.dll  
      icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"  
      icacls.exe . /restore atmfd.dll.acl
      
    2. Restart the system.

    Optional procedure for Windows 8 and later operating systems (enable ATMFD):

    Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

    Method 1 (manually edit the system registry):

    1. Run regedit.exe as Administrator.

    2. In Registry Editor, navigate to the following sub key and set its DWORD value to 0:

      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD, DWORD = 0

    3. Close Registry Editor and restart the system.

    Method 2 (use a managed deployment script):

    1. Create a text file named ATMFD-enable.reg that contains the following text:

      Windows Registry Editor Version 5.00
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
      "DisableATMFD"=dword:00000000
      2. Run regedit.exe.

    2. In Registry Editor, click the File menu and then click Import.

    3. Navigate to and select the ATMFD-enable.reg file that you created in the first step.
      (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog’s file extension parameters to All Files).

    4. Click Open and then click OK to close Registry Editor.

Multiple TrueType Font Parsing Vulnerabilities

Remote code execution vulnerabilities exist when components of Windows, .NET Framework, Office, Lync, and Silverlight fail to properly handle TrueType fonts. An attacker who successfully exploited these vulnerabilities could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerabilities, including by convincing a user to open a specially crafted document or by convincing them to visit an untrusted webpage that contains embedded TrueType fonts.

The update addresses the vulnerabilities by correcting how the Windows DirectWrite library handles TrueType fonts.

The following tables contain links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title CVE number Publicly disclosed Exploited
TrueType Font Parsing Vulnerability CVE-2015-2435 No No
TrueType Font Parsing Vulnerability CVE-2015-2455 No No
TrueType Font Parsing Vulnerability CVE-2015-2456 No No
TrueType Font Parsing Vulnerability CVE-2015-2463 No No
TrueType Font Parsing Vulnerability CVE-2015-2464 No No

Mitigating Factors

Microsoft has not identified any mitigating factors for these vulnerabilities.

Workarounds

Microsoft has not identified any workarounds for these vulnerabilities.

Microsoft Office Graphics Component Remote Code Execution Vulnerability - CVE-2015-2431

A remote code execution vulnerability exists when Microsoft Office fails to properly handle Office Graphics Library (OGL) fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit this vulnerability, including by convincing users to open a specially crafted document or by convincing them to visit an untrusted webpage that contains embedded OGL fonts.

The update addresses the vulnerability by correcting how Office handles OGL fonts. Microsoft received information about the vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Kernel ASLR Bypass Vulnerability - CVE-2015-2433

A security feature bypass vulnerability exists when the Windows kernel fails to properly initialize a memory address, allowing an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. This issue affects all supported Windows operating systems and is considered to be an Important-class Security Feature Bypass (SFB). 

An attacker who successfully exploited this vulnerability could retrieve the base address of the kernel driver from a compromised process. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows kernel handles memory addresses. 

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. This vulnerability has been publicly disclosed. 

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Windows CSRSS Elevation of Privilege Vulnerability - CVE-2015-2453

An elevation of privilege vulnerability exists in the way that the Windows Client/Server Run-time Subsystem (CSRSS) terminates a process when a user logs off. An attacker who successfully exploited this vulnerability could run code that is designed to monitor the actions of a user who subsequently logs on to the system. This could allow the disclosure of sensitive information or access to data on the affected systems that was accessible to the logged-on user. This sensitive data could include the logon credentials of subsequent users, which an attacker might later use to elevate privilege or to execute code as a different user on the system. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system. If a user with administrative privileges subsequently logs on to the system, the attacker could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.

To exploit this vulnerability, an attacker would first have to log on to the system and run a specially crafted application that is designed to continue running after the attacker logs off. When a new user logs on with their own credentials, the attacker's process could monitor all actions performed by the newly logged-on user. If the newly logged-on user is an administrator, the information disclosed could be used to try to further compromise the affected system.

Systems where multiple users have permissions to log on locally and run untrusted applications are at the most risk from this vulnerability.

The update addresses the vulnerability by correcting how user processes are terminated upon logoff. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Windows KMD Security Feature Bypass Vulnerability - CVE-2015-2454

A security feature bypass vulnerability exists when the Windows kernel-mode driver fails to properly validate and enforce impersonation levels. An attacker who successfully exploited this vulnerability could bypass impersonation-level security and gain elevated privileges on a targeted system.

The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this bypass vulnerability in conjunction with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.

The update addresses the vulnerability by correcting how Windows validates impersonation levels. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Windows Shell Security Feature Bypass Vulnerability - CVE-2015-2465

A security feature bypass vulnerability exists when the Windows shell fails to properly validate and enforce impersonation levels. An attacker who successfully exploited this vulnerability could bypass impersonation-level security and gain elevated privileges on a targeted system.

The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this bypass vulnerability in conjunction with another vulnerability. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.

The update addresses the vulnerability by correcting how the Windows shell validates impersonation levels. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Security Update Deployment

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (August 11, 2015): Bulletin published.
  • V2.0 (August 21, 2015): Updated bulletin to inform customers running Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows Server 2008 R2 Service Pack 1, and Windows 7 Service Pack 1 that the 3078601 update on the Microsoft Download Center was updated on August 18, 2015. Microsoft recommends that customers who installed the 3078601 update via the Microsoft Download Center prior to August 18 reinstall the update to be fully protected from the vulnerabilities discussed in this bulletin.  If you installed update 3078601 via Windows Update, Windows Update Catalog, or WSUS, no action is required.
  • V2.1 (September 8, 2015): Revised bulletin to add an Update FAQ that explains why customers running Office 2010 on Windows Vista and later versions of Windows are not being offered the 3054846 update.
  • V2.2. (October 7, 2015): Added a footnote to the Microsoft Communication Platforms and Software table and an Update FAQ to explain that customers running affected editions of Microsoft Lync 2013 (Skype for Business) must install prerequisite updates before installing the 3055014 security update. See the Update FAQ for more information.

Page generated 2015-10-07 11:08-07:00. </https:>