Microsoft releases out-of-band patch for all versions of Windows

Fix addresses RCE flaws in the Windows Adobe Type Manager Library

first-aid patch medicine cure
Credit: Thinkstock

Microsoft released an out-of-band patch on Monday, which fixes a problem in the Windows Adobe Type Manager Library that could lead to remote code execution (RCE) on the host system if exploited.

If successfully targeted by an attacker, the vulnerability patched today could lead to total system compromise, as they would've gained access to alter programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft has released patches for all supported versions of the Windows operating system, and listed the severity of the problem as critical.

"There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts," an advisory on the issue explains.

While not listed in the security bulletin, Windows 10 has also been patched against this flaw. Users that are on preview builds should get the patch automatically, but a check for updates will download and install MS15-078.

All other operating systems, including Windows Vista, Windows 7, Windows 8 and 8.1, Windows Server 2008 and 2008 R2, Windows Server 2012 and 2012 R2, and Windows RT and RT 8.1 will get the patch as determined by the system's update settings.

Windows 2003 and Windows XP will not be patched against this flaw, unless there is an extended support contract in place that would cover it.

Update: In an email, FireEye confirmed to Salted Hash that today's patch from Microsoft is related to Hacking Team.

Details on the nature of the flaw were discovered by one of their researchers within the Hacking Team cache of files. Two weeks ago, the company was left scrambling, after 400GB of data, including source code, sales materials, contracts, and more were published to the Web.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.