Microsoft Addresses Critical Security Flaw
If you’re one of the billions of people around the world using some version of Windows, you probably noticed a recent emergency security update to patch a critical security flaw. This article clarifies several details about the security flaw, how it was uncovered, and what it might mean for users like you. Microsoft usually releases security updates on the second Tuesday of each month, but the recent appearance of a potential emergency required a swifter response – the company has issued an emergency security update for all supported versions of Windows, urging all users to implement it immediately. This issue came to light from memos leaked from Hacking Team, a widely-disliked company specializing in government-controlled spyware. Hacking Team kept news of the vulnerability to themselves, including it in the bundles of information they sold to governments to help them spy on people around the world. The information only became public after a dedicated group of hackers leaked Hacking Team’s memos online. Microsoft particularly credits Google Project Zero and FireEye for informing them of the flaw.
MS15-078: The Facts
This security flaw is MS15-078, in the Windows Adobe Type Manager Library. Attackers can use this vulnerability to remotely control systems, hijacking your computer and infecting it with malware. This is a serious problem – Microsoft’s font drivers run in kernel mode, meaning that if just one library receives malicious data, the entire system could collapse. Anyone opening a web page or document containing a malicious font file could be attacked in this manner. Microsoft elaborates on this issue in an advisory statement:
“An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts.”
In fact, Microsoft classifies this vulnerability as “critical”, the highest threat level available. Their security patch addresses the problem by changing the way Windows Adobe Type Manager Library treats OpenType fonts.
What Should You Do?
In light of this news, many Windows users are wondering how to protect themselves. Microsoft has shared a few solutions:
“The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically… For those manually updating, we strongly encourage you to apply this update as quickly as possible following the release of the security bulletin.”
The patch is available for all currently-supported versions of Windows – Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 and Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1, and Server Core. But note that it is not available for Windows Server 2003 (W2K3). As many of you know, support for W2K3 ended over one week ago. That means Microsoft no longer issues security updates for that system, except for customers who have a specific arrangement with them. If you’re one of the millions of people still running applications on W2K3 and are concerned about how to protect your infrastructure, feel free to contact us for a consultation.