Update Windows now! Microsoft issues emergency security patch

Font patchMicrosoft has issued an emergency out-of-band security patch for all versions of Windows, fixing a critical remote code execution vulnerability that could be exploited by hackers to infect computers with malware.

Details of the flaw, which relate to how the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts, are believed to be public – although Microsoft says it is not aware of any customers being attacked… yet.

Nonetheless, the company clearly feels the problem is serious enough to warrant issuing a security fix outside of its normal “Patch Tuesday” schedule.

An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Sign up to our free newsletter.
Security news, advice, and tips.

There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.

For more information, read the Microsoft Security advisory, which describes workarounds if it is not possible for you to quickly roll out the patch across your organisation.

Of course, there are no patches for the now no-longer-supported Windows XP and Windows Server 2003. But you surely realised long ago that continuing to use those versions of Windows was a dangerous game, right?

Update: It has become apparent that the vulnerability fixed by this patch was one of the zero-day exploits that tumbled out of the breach at Hacking Team.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.