Microsoft deployed an emergency security update for all currently supported versions of the Windows operating system, resolving a vulnerability that could allow remote code execution when users open documents or webpages that contain specially coded embedded OpenType fonts.
This exploit is made possible in part to the recently lambasted Adobe, which also released its own set of updates to address widespread vulnerabilities in Flash. With this freshly patched exploit, the Windows Adobe Type Manager Library can improperly handle maliciously coded OpenType fonts in documents and untrusted web pages, allowing attackers to gain complete control of the affected system.
Perhaps the scariest note is that this vulnerability spans every version of Windows since Vista, which was released in late 2006. With an exploit spanning the entire Microsoft operating system catalog since then, does that mean the vulnerability has existed for just as long? It makes me cringe to think that the small percentage of users still running Windows XP or the recently unsupported Windows Server 2003 could be victims of the same vicious exploit.
However, most users with supported versions of Windows and automatic updates enabled will already have downloaded the patch by the time this article goes live. Enterprise users may have to manually deploy the update (KB 3079904) and should do so as soon as possible, because the hotfix is labeled "Critical" by Microsoft's security bulletin. (opens in new tab)
Whoever said words would never hurt us lied.