It’s 2015, and bad font files in webpages will still pwn you.
All supported versions of Windows now need to be patched – again – to fix an urgent remote code-execution vulnerability emerging from the ongoing Hacking Team hack fiasco.
Details of the vulnerability were found and reported to Microsoft by security researchers poring over internal memos leaked online from spyware-maker Hacking Team. This follows an elevation-of-privilege hole in Windows and a remote-code execution bug in Internet Explorer 11 that were also uncovered from the Hacking Team files, and patched last week by Microsoft.
This latest serious security flaw (MS15-078) lies within the Windows Adobe Type Manager Library, and can be exploited by attackers to hijack PCs, infect them with malware, and so on. A victim who opens a document or even a webpage that contains a malicious embedded OpenType font file can be attacked thanks to this vulnerability.
Normally, security patches for Microsoft software are released as a bundle on the second Tuesday of every month. Today, the Redmond giant felt compelled to issue an emergency update for its operating system.
The security flaw is potent because Microsoft runs its font drivers in kernel mode, meaning if one of the libraries is fed bad data, the whole operating system can be compromised. Microsoft explained in an advisory:
Posted from WordPress for Android