Update Windows now! Microsoft issues emergency security patch

Graham Cluley

Font patchMicrosoft has issued an emergency out-of-band security patch for all versions of Windows, fixing a critical remote code execution vulnerability that could be exploited by hackers to infect computers with malware.

Details of the flaw, which relate to how the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts, are believed to be public – although Microsoft says it is not aware of any customers being attacked… yet.

Nonetheless, the company clearly feels the problem is serious enough to warrant issuing a security fix outside of its normal “Patch Tuesday” schedule.

An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.

For more information, read the Microsoft Security advisory, which describes workarounds if it is not possible for you to quickly roll out the patch across your organisation.

Of course, there are no patches for the now no-longer-supported Windows XP and Windows Server 2003. But you surely realised long ago that continuing to use those versions of Windows was a dangerous game, right?

Update: It has become apparent that the vulnerability fixed by this patch was one of the zero-day exploits that tumbled out of the breach at Hacking Team.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES