Microsoft issues emergency fix for Windows flaw

Microsoft has issued and emergency security update to patch a flaw in all supported versions of Windows that could allow attackers to take over a computer.

The security update, which comes less than a week after Microsoft’s monthly security update for July, addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts, Microsoft said in a security bulletin.

Microsoft has rated the vulnerability – CVE-2015-2426 – as “critical” but points out that the flaw could allow remote code execution only if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.

However, Microsoft said an attacker who successfully exploited this vulnerability could take complete control of the affected system and then install programs; view, change, or delete data; or create new accounts with full user rights.

When this security bulletin was issued, Microsoft said it had information to indicate that this vulnerability was public, but did not have any information to indicate this vulnerability had been used to attack customers.

However, Microsoft said analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.

Rapid7 security engineering manager Tod Beardsley said all Windows users are encouraged to update their Windows clients as soon as practical.

“Failing a patch and restart, Windows users should disable this font-rendering service entirely by following the detailed instructions provided by Microsoft's security advisory, he said.

Independent security consultant Graham Cluley noted that there are no patches for the now no-longer-supported Windows XP and Windows Server 2003.

“But you surely realised long ago that continuing to use those versions of Windows was a dangerous game, right?” he wrote in a blog post.