Emergency fix from Microsoft patches font vulnerability

CISOs should be pushing staff who oversee patch management to install an out-of band Microsoft fix for a critical Windows vulnerability in the way Adobe Type Manager Library handles OpenType fonts.

“The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts,” Microsoft said in a security bulletin.

While the bug affects all versions of Windows only supported software get a fix — meaning Windows Server 2008, which just ended support, is excluded. Organizations that allow automatic updating won’t need to take any action. Others will have manually download and install the update.

Microsoft says the exploit makes Windows Adobe Type Manager Library improperly handled specially crafted OpenType fonts, allowing an attacker to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights — in other words the flaw could be used to run arbitrary code, not just privilege escalation. The update corrects the flaw.

Attackers could leverage the hole by convincing a user to open a specially crafted document, Microsoft points out, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts.

“Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.” it added.

For those who can’t install the update Microsoft [Nasdaq: MSFT] has provided workarounds, two of which involve editing the Registry, while another re-names a .DLL file

Trend Micro took credit for finding this zero-day vulnerability after pouring through the data from the Hacking Team data breach.

“The leaked documents stated that the memory corruption of atmfd.dll (an Adobe kernel module) would lead to privilege escalation on Windows 8.1 x64,” Trend Micro said in a blog. It included this diagram to show the progress of an exploit:


“This is a complete exploit which allows even an escape of the Chrome sandbox through a kernel bug,” says the analysis. “The proof of exploit code runs the Windows calculator calc.exe with system privileges under winlogon.exe.”

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web