CISOs should be pushing staff who oversee patch management to install an out-of band Microsoft fix for a critical Windows vulnerability in the way Adobe Type Manager Library handles OpenType fonts.

“The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts,” Microsoft said in a security bulletin.

While the bug affects all versions of Windows only supported software get a fix — meaning Windows Server 2008, which just ended support, is excluded. Organizations that allow automatic updating won’t need to take any action. Others will have manually download and install the update.

Microsoft says the exploit makes Windows Adobe Type Manager Library improperly handled specially crafted OpenType fonts, allowing an attacker to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights — in other words the flaw could be used to run arbitrary code, not just privilege escalation. The update corrects the flaw.

Attackers could leverage the hole by convincing a user to open a specially crafted document, Microsoft points out, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts.

“Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.” it added.

For those who can’t install the update Microsoft [Nasdaq: MSFT] has provided workarounds, two of which involve editing the Registry, while another re-names a .DLL file

Trend Micro took credit for finding this zero-day vulnerability after pouring through the data from the Hacking Team data breach.

“The leaked documents stated that the memory corruption of atmfd.dll (an Adobe kernel module) would lead to privilege escalation on Windows 8.1 x64,” Trend Micro said in a blog. It included this diagram to show the progress of an exploit:


“This is a complete exploit which allows even an escape of the Chrome sandbox through a kernel bug,” says the analysis. “The proof of exploit code runs the Windows calculator calc.exe with system privileges under winlogon.exe.”

  • Sean Huxley

    Server 2003 is EOL not 2008