Microsoft has taken the unusual step of issuing a critical security update which patches a vulnerability in all versions of Windows that unpatched would leave hundreds of millions of PC users around the world susceptible to attack.
The security flaw would allow a hacker to remotely access your PC and gain “complete control of your system” according to Microsoft. The company typically issues security updates once a month on what is known as Patch Tuesday, but this out-of-band update indicates just how serious this security flaw is.
The vulnerability has been labelled “critical” which is the highest severity rating Microsoft has.
More about cybersecurity
The vulnerability – labelled CVE-2015-2426 – was uncovered by security researchers Mateusz Jurczyk of Google Project Zero, and Genwei Jiang of FireEye who sifted through the leaked cache of documents and source code from Italian surveillance software vendor Hacking Team.
The remote code execution flaw affects all versions of Windows including Windows Vista, Windows 7, Windows 8, Windows 8.1 and Windows RT. The flaw also affects certain versions of the Windows 10 Insider Preview operating system, but six days ago Microsoft released the latest (and final) build of the new software which patched this vulnerability.
Microsoft will want to avoid any major security worries ahead of the consumer launch of Windows 10 next week on 29 July.
In its advisory, Microsoft says: “The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.”
Exploited in the wild
There is no suggestion to date that anyone has managed to exploit the vulnerability in the wild, but considering that everyone from hackers to researchers have been pouring over the Hacking Team data since its leak on 6 July, there is a significant danger for users who don’t update their software.
The vulnerability affects the way Windows Adobe Type Manager Library handles specially-crafted Microsoft OpenType fonts. To exploit the flaw, attackers would have to create a special OpenType document and get the victim to open it on their PC. Alternatively the victim could be redirected to a website with embedded OpenType fonts.
Once exploited, Microsoft says an attacker “could then install programs; view, change, or delete data; or create new accounts with full user rights.”
While the majority of Windows users have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically, customers who have not enabled automatic updating, or who install updates manually, can use the links listed here to download and install the update.
Source: International Business Times