Microsoft has just launched an emergency patch for a recently discovered security breach that can give access of your computer to hackers if you open documents or websties that use certain embedded OpenType fonts.
The breach is massive. It could potentially affect nearly all computers running any version of Windows ranging from Vista to the current preview build of Windows 10.
According to a security advisory published by Microsoft, the vulnerability could “allow remote code execution if a user opens a specially crafted document or visits an un-trusted webpage that contains embedded OpenType fonts.”
The Windows Adobe Type Manager Library “improperly handles” certain OpenType fonts, which trigger a remote code execution vulnerability. When that happens, an attacker “could take complete control of the affected system,” including installing programs, controlling and removing data, and creating new accounts with full user rights.
The security update fixes the vulnerability by changing how the Windows Adobe Type Manager controls fonts coming through from OpenType.
OpenType is an open source, scalable font software developed by Adobe. Because the fonts are cross-platform compatible and available for free, many web designers use the software in developing websites.
Currently, there is no official information that an actual attack has taken place via this vulnerability. However, Engadget notes, “claims are circulating” that this security update fixes an exploit that was discovered by an Italian company named “Hacking Team” in early July.
The most important thing to do right now is check for updates from Microsoft on all of your computers and mobile devices.
What about Windows XP, is it vulnerable to this specific exploit?
Probably, they just won’t release a patch for it since it’s not supported anymore.
I understand XP is unsupported, but my question asked if it is affected…
Last thing I saw said “All versions of Windows from XP up to 8.1 are reported to be affected, in both 32 and 64-bit variants.”
Hmmm… Thanks arrdee.
I’m curious about this too, because I do have one box still running XP. hmmmm…
https://technet.microsoft.com/en-us/library/security/MS15-078#ID0EKIAE
Looks like the vulnerability is in atmfd.dll. Maybe you can kill that in XP. Maybe you don’t need it at all … *shrug*
It’s mind-bloggling that such a simple thing like displaying a font (no matter how well “crafted” it is within a doc or html file) could open the most serious type of security hole. This isn’t a simple bug.
I’m suggesting that within Windows itself their are engines designed to allow remote execution and other backdoor mechanisms. This issue will be the first of many that will accidentally trip embedded backdoors.
Before anyone accuses me of ‘conspiracy this or tinfoil that’, look up Windows backdoors and similar (I’m currently on cell phone).
like ip6 remote connections, running despite a closed windows firewall …. yep, in every new version more of such hidden cheese holes.
I don’t believe it is, font rendering is a lot more complex than it looks, many layers of interpretation (think of TrueType as a tiny Flash language with a VM). Back in the days they didn’t think rendering would be a real attack surface, it’s easy to dismiss as opposed to network components, etc, etc
My 2 cents.