Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED 3 MINUTES AGO.
You are here: Home / Network Security / Microsoft Pushes Critical Windows Fix
Microsoft Pushes Emergency Security Fix for Windows
Microsoft Pushes Emergency Security Fix for Windows
By Jef Cozza / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
JULY
21
2015
New vulnerabilities that have been exposed as a result of the attack on the Hacking Team’s servers continue to wreak havoc. Yesterday, the victim was Microsoft.

The company has issued an emergency security update for its Windows operating system that it described as “critical,” its most severe vulnerability rating. The bug, which appears on the font driver of the operating system, allows an attacker to take control of a user’s system remotely.

The vulnerability affects all supported versions of Windows, according to Microsoft. The majority of Microsoft customers should be protected if they have automatic updating enabled, since the fix will be downloaded and installed automatically. But customers that install updates manually are advised to do so immediately.

More Fallout from Hacking Team

The patch was released ahead of Microsoft’s next regular monthly Patch Tuesday security update. Among the Windows versions affected by the exploit are Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1. The flaw also reportedly affects the Windows 10 Insider Preview.

We spoke with Daniel Kennedy, Research Director at 451 Research, who told us it was noteworthy that Microsoft released the patch outside of its normal security updates.

"Anytime Microsoft releases a patch out of band of their regular security updates, it gains some attention," Kennedy said. "This file was also associated with a privilege escalation vulnerability earlier this month. Companies should follow their reasonable patch management processes, testing the patch, releasing it to a small group of users, and then extending it to all affected users, in an expedited timeframe."

The vulnerability was originally discovered by researchers from computer security firm FireEye. Microsoft is only the latest tech company affected by the fallout from the Hacking Team leak, which made a number of exploits available to the public. Adobe has already had several vulnerabilities made public since the Italian surveillance company was hacked earlier this month. Several U.S. government agencies have also been attacked using flaws publicized by the leak.

Remote Code Execution

The bug affecting the Windows OS can give attackers remote access to a user’s system and allow them to remotely execute code if a user opens a specially crafted document or visits an untrusted Web page that contains embedded OpenType fonts. The patch fixes the vulnerability by changing the way Windows Adobe Type Manager Library handles OpenType fonts.

An attacker who successfully exploited the vulnerability could take complete control of the affected system, according to Microsoft. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

“There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts,” the company said in a security bulletin yesterday.

Microsoft said it had information indicating that the vulnerability was public, but it was not aware if the bug had yet been exploited by anyone to launch an attack. Nevertheless, “our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability,” the company said, giving the bug its “exploitation more likely” rating. Microsoft has not yet identified any mitigating factors for the vulnerability, but it did have a number of workarounds available on its Web site.

Tell Us What You Think
Comment:

Name:

Art in Nevada County:
Posted: 2015-08-19 @ 1:17pm PT
What is the published Microsoft Knowledge Base (KB) patch that addresses this vulnerability?

Tom in Houston:
Posted: 2015-07-21 @ 2:41pm PT
Why no word about XP? Microsoft no longer supports it, and that's cool. But why couldn't you note whether or not XP is affected by this? Many of your readers still use XP.

Like Us on FacebookFollow Us on Twitter
MORE IN NETWORK SECURITY
CRM DAILY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.