Microsoft has broken their trend of releasing hotfixes on the second Tuesday of every month to release a vital “out of band” security patch. The critical flaw entitled MS15-078 is a vulnerability in the Microsoft Font Driver which allows Remote Code execution. In basic terms, this means any webpage or document containing embedded OpenType fonts could become a major security risk. Microsoft explained the situation and why it’s imperative to enable automatic updates or download the patch:
“An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
“There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.”
“When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.”
All Windows users are advised to update as a matter of urgency to keep their system secure. However, Windows XP customers cannot access this fix due to the lack of support for that particular operating system. Microsoft believes this security hole could lead to a huge influx of malware. Once the update has finished installing, a reboot will be required. This couldn’t have come at a worse time for Microsoft with the pending launch of Windows 10. The Redmond-based company needs to establish their latest products as an extremely secure platform to make users more inclined to upgrade.
Thank you The Register for providing us with this information.