Microsoft has released an out-of-band security patch for all supported versions of Windows. The patch addresses a zero-day security vulnerability that could allow a remote attacker to gain complete control of your operating system.
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.
Patches are already rolled out through Windows Update Services and should be available. We see this as impacting desktop users more than we do server environments, but some server environments with Internet-access are at more risk. This zero-day vulnerability came out of the Hacking Team data breach that happened just a few weeks ago. What other vulnerabilities will we see from the cache?
Microsoft Security Bulletin MS15-078 (Critical) – Remote Code Execution
Operating Systems: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
Update Avalaible: KB 3079904 replacing KB3077657