New vulnerabilities that have been exposed as a result of the attack on the Hacking Team’s servers continue to wreak havoc. Yesterday, the victim was Microsoft.
The company has issued an emergency security update for its Windows operating system that it described as “critical,” its most severe vulnerability rating. The bug, which appears on the font driver of the operating system, allows an attacker to take control of a user’s system remotely.
The vulnerability affects all supported versions of Windows, according to Microsoft. The majority of Microsoft customers should be protected if they have automatic updating enabled, since the fix will be downloaded and installed automatically. But customers that install updates manually are advised to do so immediately.
More Fallout from Hacking Team
The patch was released ahead of Microsoft’s next regular monthly Patch Tuesday security update. Among the Windows versions affected by the exploit are Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1. The flaw also reportedly affects the Windows 10 Insider Preview.
We spoke with Daniel Kennedy, Research Director at 451 Research, who told us it was noteworthy that Microsoft released the patch outside of its normal security updates.
“Anytime Microsoft releases a patch out of band of their regular security updates, it gains some attention,” Kennedy said. “This file was also associated with a privilege escalation vulnerability earlier this month. Companies should follow their reasonable patch management processes, testing the patch, releasing it to a small group of users, and then extending it to all affected users, in an expedited timeframe.”
The vulnerability was originally discovered by researchers from computer security firm FireEye. Microsoft is only the latest tech company affected by the fallout from the Hacking Team leak, which made a number of exploits available to the public. Adobe has already had several vulnerabilities made public since the Italian surveillance company was hacked earlier this month. Several U.S. government agencies have also been attacked using flaws publicized by the leak.
Remote Code Execution
The bug affecting the Windows OS can give attackers remote access to a user’s system and allow them to remotely execute code if a user opens a specially crafted document or visits an untrusted Web page that contains embedded OpenType fonts. The patch fixes the vulnerability by changing the way Windows Adobe Type Manager Library handles OpenType fonts.
An attacker who successfully exploited the vulnerability could take complete control of the affected system, according to Microsoft. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
“There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts,” the company said in a security bulletin yesterday.
Microsoft said it had information indicating that the vulnerability was public, but it was not aware if the bug had yet been exploited by anyone to launch an attack. Nevertheless, “our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability,” the company said, giving the bug its “exploitation more likely” rating. Microsoft has not yet identified any mitigating factors for the vulnerability, but it did have a number of workarounds available on its Web site.
