Microsoft Releases Emergency Patch For Font Driver Vulnerability

By Derek Forrest
published

Microsoft deployed an emergency security update for all currently supported versions of the Windows operating system, resolving a vulnerability that could allow remote code execution when users open documents or webpages that contain specially coded embedded OpenType fonts.

This exploit is made possible in part to the recently lambasted Adobe, which also released its own set of updates to address widespread vulnerabilities in Flash. With this freshly patched exploit, the Windows Adobe Type Manager Library can improperly handle maliciously coded OpenType fonts in documents and untrusted web pages, allowing attackers to gain complete control of the affected system.

Perhaps the scariest note is that this vulnerability spans every version of Windows since Vista, which was released in late 2006. With an exploit spanning the entire Microsoft operating system catalog since then, does that mean the vulnerability has existed for just as long? It makes me cringe to think that the small percentage of users still running Windows XP or the recently unsupported Windows Server 2003 could be victims of the same vicious exploit.

However, most users with supported versions of Windows and automatic updates enabled will already have downloaded the patch by the time this article goes live. Enterprise users may have to manually deploy the update (KB 3079904) and should do so as soon as possible, because the hotfix is labeled "Critical" by Microsoft's security bulletin. (opens in new tab)

Whoever said words would never hurt us lied.

Follow Derek Forrest @TheDerekForrest. Follow us @tomshardware, on Facebook and on Google+.

Derek Forrest
Derek Forrest
Derek Forrest is a Contributing Writer for Tom's Hardware US. He writes hardware news and reviews gaming desktops and laptops.
18 Comments Comment from the forums
  • jimmysmitty
    If it was tied to Adobe and Flash then it is possibly a newer exploit that was just found due to the issues Flash present. There is no way of knowing how long it has been around but since Vista means it is due to the newer way that the front end and back end are handled compared to the older XP and lower design.

    I think it was probably always there but the Flash issue is what made it possible which is why the sooner Flash goes bye bye the better off we are. And Java.
    Reply
  • rantoc
    If i were to look for an exploit it would be in any product who starts with Adobe, they don't seem to care about security at all by judging on the sheer number of exploits related to their products especially flash that looks to be the holy grail for anyone who wants to do anything malicious - It needs to die!
    Reply
  • red77star
    Someone wants Adobe out of business so suddenly all this BS. is showing up. I have seen same BS patter in other area of life.
    Reply
  • red77star
    A goal of these spectacular BS security discoveries is to shape up a public opinion and media and build negative attitude toward target subject, namely Adobe. Once that is achieved and millions of brainwashed people are told what to think or feel...it is like chain reaction.
    Reply
  • jimmysmitty
    16297734 said:
    Someone wants Adobe out of business so suddenly all this BS. is showing up. I have seen same BS patter in other area of life.

    Adobe is doing it to themselves. Their products have massive exploits and are some of the reasons for some of the latest viruses. That and Java. I would rank them both the top reasons for viruses are due to exploits in their software that open holes into the OS.
    Reply
  • red77star
    It tells me that OS itself is crappy coded.
    Reply
  • jimmysmitty
    16297900 said:
    It tells me that OS itself is crappy coded.

    Even a more secure OS can be screwed up by software. It is why Microsoft moved to APIs to stop games from crashing the entire OS when it freaked the GPU driver out.

    And of course no OS is perfect, not even Linux is 100% bullet proof.

    But considering that not only has Microsoft had issues with Flash in IE or Windows but also Mozilla Firefox, they killed it from running until it was patched recently, and even Chrome, they update Flash themselves instead of relying on Adobe, that says that it is more Adobe that is causing the issues than Microsoft.

    Of course it is sort of pointless trying to show you this as you seem to have a spite for Microsoft for doing some sort of physical or emotional harm to you.
    Reply
  • Alec Mowat
    It the time it takes to deploy this critical update to all servers and workstations, you could simply run a script to uninstall Flash. Unless you need it for line of business software, you shouldn't be using flash player in a work place.
    Reply
  • ravewulf
    "Whoever said words would never hurt us lied."
    +1
    Reply
  • gangrel
    And it's not like Flash-bashing is something new.

    Chrome and iOS don't touch Flash now. This puts them at a competitive DISadvantage relative to other Flash-using environments. They will lose some of their users because of that. If you think of it in that way, it's not bashing just to bash. One can argue that with Google's general attempt to squash NPAPI is somewhat self-serving, in that the alternative is something they control to a much greater degree...but Mozilla is pushing for the same changes, so this argument is gutted IMO.
    Reply