Update Windows now! Microsoft issues emergency security patch

Font patch Microsoft has issued an emergency out-of-band security patch for all versions of Windows, fixing a critical remote code execution vulnerability that could be exploited by hackers to infect computers with malware.

Details of the flaw, which relate to how the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts, are believed to be public – although Microsoft says it is not aware of any customers being attacked… yet.

Nonetheless, the company clearly feels the problem is serious enough to warrant issuing a security fix outside of its normal “Patch Tuesday” schedule.

An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Sign up to our free newsletter.
Security news, advice, and tips.

There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.

For more information, read the Microsoft Security advisory, which describes workarounds if it is not possible for you to quickly roll out the patch across your organisation.

Of course, there are no patches for the now no-longer-supported Windows XP and Windows Server 2003. But you surely realised long ago that continuing to use those versions of Windows was a dangerous game, right?

Update: It has become apparent that the vulnerability fixed by this patch was one of the zero-day exploits that tumbled out of the breach at Hacking Team.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.