
igor - Fotolia
Microsoft issues emergency fix for Windows flaw
Microsoft has issued an out-of-band patch for a security flaw in all supported versions of Windows that could allow attackers to take complete control of the affected system
Microsoft has issued and emergency security update to patch a flaw in all supported versions of Windows that could allow attackers to take over a computer.
The security update, which comes less than a week after Microsoft’s monthly security update for July, addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts, Microsoft said in a security bulletin.
Microsoft has rated the vulnerability – CVE-2015-2426 – as “critical” but points out that the flaw could allow remote code execution only if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.
However, Microsoft said an attacker who successfully exploited this vulnerability could take complete control of the affected system and then install programs; view, change, or delete data; or create new accounts with full user rights.
When this security bulletin was issued, Microsoft said it had information to indicate that this vulnerability was public, but did not have any information to indicate this vulnerability had been used to attack customers.
However, Microsoft said analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.
Rapid7 security engineering manager Tod Beardsley said all Windows users are encouraged to update their Windows clients as soon as practical.
“Failing a patch and restart, Windows users should disable this font-rendering service entirely by following the detailed instructions provided by Microsoft's security advisory, he said.
Independent security consultant Graham Cluley noted that there are no patches for the now no-longer-supported Windows XP and Windows Server 2003.
“But you surely realised long ago that continuing to use those versions of Windows was a dangerous game, right?” he wrote in a blog post.
Read more about Microsoft and security
- July 2015's Patch Tuesday shows both Microsoft and Adobe working fast to patch four Hacking Team zero-day vulnerabilities
- Businesses still running Windows server 2003 are vulnerable to attack from hackers looking to exploit security holes
- Customers are always worried about security and Windows 10 is no different but HP believes there could be an opportunity for resellers to accentuate the positive