Microsoft has issued an emergency out-of-band security patch for all versions of Windows, fixing a critical remote code execution vulnerability that could be exploited by hackers to infect computers with malware.
Details of the flaw, which relate to how the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts, are believed to be public – although Microsoft says it is not aware of any customers being attacked… yet.
Nonetheless, the company clearly feels the problem is serious enough to warrant issuing a security fix outside of its normal “Patch Tuesday” schedule.
An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.
For more information, read the Microsoft Security advisory, which describes workarounds if it is not possible for you to quickly roll out the patch across your organisation.
Of course, there are no patches for the now no-longer-supported Windows XP and Windows Server 2003. But you surely realised long ago that continuing to use those versions of Windows was a dangerous game, right?
Update: It has become apparent that the vulnerability fixed by this patch was one of the zero-day exploits that tumbled out of the breach at Hacking Team.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.