Microsoft: Hey, you. Done patching Windows this month? WRONG
Yet another serious vulnerability emerges from leaked Hacking Team archives
Microsoft is urging everyone to install an emergency security update for all supported versions of Windows to fix a remote-code execution vulnerability.
Details of the vulnerability were found and reported to Microsoft by security researchers poring over internal memos leaked online from spyware-maker Hacking Team. This follows an elevation-of-privilege hole in Windows and a remote-code execution bug in Internet Explorer 11 that were also uncovered from the Hacking Team files, and patched last week by Microsoft.
This latest serious security flaw (MS15-078) lies within the Windows Adobe Type Manager Library, and can be exploited by attackers to hijack PCs, infect them with malware, and so on. A victim who opens a document or even a webpage that contains a malicious embedded OpenType font file can be attacked thanks to this vulnerability.
Normally, security patches for Microsoft software are released as a bundle on the second Tuesday of every month. Today, the Redmond giant felt compelled to issue an emergency update for its operating system.
The security flaw is potent because Microsoft runs its font drivers in kernel mode, meaning if one of the libraries is fed bad data, the whole operating system can be compromised. Microsoft explained in an advisory:
An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.
When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.
Mateusz Jurczyk, of Google Project Zero, and Genwei Jiang, of FireEye, were thanked by Microsoft for finding this latest OpenType library flaw (CVE-2015-2426).
A spokesman for FireEye confirmed to The Register that the bug emerged from Hacking Team's internal files that were leaked online at the start of July by hackers. "It's something we found in the Hacking Team breach, and told Microsoft," he added.
Sysadmins at companies subscribed to Microsoft's confidential Advance Notification Service were warned over the weekend that an out-of-band patch was due to land at about 1000 PT (1300 ET, 1700 UTC) on Monday, July 20. The fix will require a reboot after it is applied.
People are urged to install the update as soon as possible, and long before miscreants begin to exploit the vulnerability to spread malware and misery.
"The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically," Microsoft warned IT bods.
"For those manually updating, we strongly encourage you to apply this update as quickly as possible following the release of the security bulletin."
The patch is available for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 and Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1, and Server Core. But not for Server 2003 nor Windows XP as they are no longer supported (unless you have an agreement with Microsoft.) ®