Microsoft released an out-of-band patch Monday that addresses a critical remotely exploitable flaw in all versions of Windows.
The vulnerability stems from how Windows’ Adobe Type Manager Library handles OpenType fonts. If a user was tricked into either opening a rigged document or visiting an untrusted website that contains embedded OpenType fonts, it could open their machine up to remote code execution.
According to a security bulletin (MS15-078) corresponding to the vulnerability at Microsoft’s Security Tech Center, all supported versions of Windows should receive the patch. Windows Server 2003, which stopped receiving support last week, will not receive the patch.
Microsoft stresses that it’s possible for an attacker to “consistently exploit” the vulnerability by creating their own exploit code.
“When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers,” the bulletin reads.
Still though, an attacker could leverage the vulnerability to take complete control of a system – meaning they could be given the ability to install programs, view, and change or delete data, along with the ability to create new accounts with full user rights.
Microsoft is encouraging users who don’t have automatic updates enabled to apply the fix as soon as possible but points out that there are several viable workarounds that may be helpful for end users who can’t right away.
The workarounds differ by the system, but mostly involve using a managed deployment script and renaming or removing the .DLL that corresponds to the Adobe Type Manager Library (ATML), actions that could ultimately impact applications that rely on ATML.
While it sounds similar, the issue is separate from CVE-2015-2387, another vulnerability that Microsoft patched last week in Adobe Type Manager Font Driver. That vulnerability, reported by Google Project Zero and researcher Morgan Marquis-Boire, was one of several uncovered in the HackingTeam leak. Somewhat less pressing than today’s issue with Adobe Type Manager Library, the ATMFD issue stemmed from a problem with how it handled objects in memory. If exploited, it could have enabled privilege escalation and code execution.