Microsoft has released an out-of-band patch that addresses a critical, remotely exploitable flaw in all versions of Windows.
The vulnerability stems from how Windows’ Adobe Type Manager Library handles specially-crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. From there, the bad actor could then install programs; view, change or delete data; or create new accounts with full user rights.
There are multiple ways an attacker could exploit the vulnerability, mostly via social engineering. He or she would need to convince a user to open a specially crafted document, or to visit an untrusted webpage that contains embedded OpenType fonts.
“When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers,” the software giant said in its advisory. “Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.”
The patch will automatically be downloaded and installed on most machines, except for those customers who have not enabled automatic updating, or who install updates manually.