Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Issues Emergency Fix For Critical Flaw Affecting All Versions of Windows

Out-of-Band Security Patch Fixes Critical OpenType Font Driver Vulnerability Affecting All Versions of Microsoft Windows

Out-of-Band Security Patch Fixes Critical OpenType Font Driver Vulnerability Affecting All Versions of Microsoft Windows

Microsoft released an emergency out-of-band security update on Monday to address a critical vulnerability in Windows that could allow a remote attacker to gain complete control of an affected system.

The remote code execution vulnerability (CVE-2015-2426) affects all versions of Windows and stems from the Windows Adobe Type Manager Library improperly handling specially crafted OpenType fonts, Microsoft said in a security advisory.

According to Trend Micro, the flaw is another leaked as a result of the recent Hacking Team data breach.

“This is a complete exploit which allows even an escape of the Chrome sandbox through a kernel bug; the proof of exploit code runs the Windows calculator calc.exe with system privileges under winlogon.exe,” Trend Micro researchers explained in a blog post.  

“There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts,” Microsoft’s advisory (MS15-078) explained. 

While Microsoft said the vulnerability was public, the software giant said it did not have any details indicating that the flaw had been exploited to attack customers. However, Microsoft warned that exploit code could be created in such a way that “an attacker could consistently exploit” the vulnerability.

Microsoft customers that have automatic updating enabled should already be protected, as the update will be downloaded and installed automatically. Users who do not have automatic updating enabled, or who install updates manually should install the update, with information on doing so manually available online

Microsoft also provided information on workarounds for various versions of Windows.

Just last week Microsoft released a total of 14 bulletins as part of the company’s July 2015 security updates, including two zero-day bugs identified by researchers while analyzing the Hacking Team leak.  

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.