igor - Fotolia

Microsoft issues emergency fix for Windows flaw

Microsoft has issued an out-of-band patch for a security flaw in all supported versions of Windows that could allow attackers to take complete control of the affected system

Microsoft has issued and emergency security update to patch a flaw in all supported versions of Windows that could allow attackers to take over a computer.

The security update, which comes less than a week after Microsoft’s monthly security update for July, addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts, Microsoft said in a security bulletin.

Microsoft has rated the vulnerability – CVE-2015-2426 – as “critical” but points out that the flaw could allow remote code execution only if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.

However, Microsoft said an attacker who successfully exploited this vulnerability could take complete control of the affected system and then install programs; view, change, or delete data; or create new accounts with full user rights.

When this security bulletin was issued, Microsoft said it had information to indicate that this vulnerability was public, but did not have any information to indicate this vulnerability had been used to attack customers.

However, Microsoft said analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.

Rapid7 security engineering manager Tod Beardsley said all Windows users are encouraged to update their Windows clients as soon as practical.

“Failing a patch and restart, Windows users should disable this font-rendering service entirely by following the detailed instructions provided by Microsoft's security advisory, he said.

Independent security consultant Graham Cluley noted that there are no patches for the now no-longer-supported Windows XP and Windows Server 2003.

“But you surely realised long ago that continuing to use those versions of Windows was a dangerous game, right?” he wrote in a blog post.

Read more about Microsoft and security

Read more on Hackers and cybercrime prevention

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Here we go again, a new patch for the latest fix, deja vu all over again. Then again, what else are we to expect when dealing with a tiny little company that has no resources for in-house testing.

It's much quicker (and cheaper) to release raw updates and let the world be the beta tester....
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close