Microsoft releases urgent patch

All supported versions of Microsoft Windows now need to be urgently patched to fix a remote code-execution vulnerability.

This latest serious security flaw (MS15-078) lies within the Windows Adobe Type Manager Library. It can be exploited by attackers to hack into vulnerable PCs and infect them with malware. A user who opens a document or even a webpage that contains a malicious embedded OpenType font file can be attacked thanks to this vulnerability.

Microsoft runs its font drivers in the kernel, which is a key part of the core of windows. This means if one of the windows files is fed bad data the whole operating system can be compromised. Microsoft explained this in an advisory:

An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.

When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.

Microsoft was tipped off about the vulnerability by security researchers from security companies FireEye and Trend Micro as well as experts from Google’s Project Zero that seeks out unknown loopholes in code.

The vulnerability has been found in all versions of Windows, if your computer is set to automatically update then the patch will be installed automatically, a reboot will be necessary once installed. No patch will be available for those still running Server 2003 and Windows XP operating system as these are no longer supported by Microsoft.