Microsoft has released an out-of-band emergency patch for a zero-day vulnerability across all Windows operating system releases, discovered in the trove of data leaked from grey-hat organisation Hacking Team.
When Hacking Team's server was breached and gigabytes of the company's internal data made public, it was bad news for everyone. Already, three zero-day vulnerabilities in Adobe Flash were made public as a result of the attack, and now it's Windows' turn with Microsoft releasing an out-of-band emergency patch for another zero-day discovered in the group's trove.
Embarrassingly, the flaw can once again be traced back to Adobe: the vulnerability lies not in Windows itself, but with the bundled Windows Adobe Type Manager Library which is used for rendering OpenType fonts. 'The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts,' Microsoft explained in its bulletin announcing the patch. 'This security update is rated Critical for all supported releases of Microsoft Windows,' the company continued, including Windows 10 Build 10240 - the version believed to represent the Release to Manufacturing (RTM) gold master of the upcoming operating system.
The precise severity of the flaw is clear from Microsoft's decision to break from its usual monthly Patch Tuesday update cycle in order to get the patch out to users as quickly as possible. Those with automatic updates configured need do nothing; others should visit Microsoft's Knowledge Base for details on the flaw and manual patch installation.
When Hacking Team's server was breached and gigabytes of the company's internal data made public, it was bad news for everyone. Already, three zero-day vulnerabilities in Adobe Flash were made public as a result of the attack, and now it's Windows' turn with Microsoft releasing an out-of-band emergency patch for another zero-day discovered in the group's trove.
Embarrassingly, the flaw can once again be traced back to Adobe: the vulnerability lies not in Windows itself, but with the bundled Windows Adobe Type Manager Library which is used for rendering OpenType fonts. 'The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts,' Microsoft explained in its bulletin announcing the patch. 'This security update is rated Critical for all supported releases of Microsoft Windows,' the company continued, including Windows 10 Build 10240 - the version believed to represent the Release to Manufacturing (RTM) gold master of the upcoming operating system.
The precise severity of the flaw is clear from Microsoft's decision to break from its usual monthly Patch Tuesday update cycle in order to get the patch out to users as quickly as possible. Those with automatic updates configured need do nothing; others should visit Microsoft's Knowledge Base for details on the flaw and manual patch installation.
Mod of the Month April 2019 in Association with Corsair
May 8 2019 | 13:30
Want to comment? Please log in.