Microsoft plugs another Windows zero-day with emergency patch

Microsoft has released an emergency update that plugs a critical zero-day vulnerability (CVE-2015-2426) that affects all supported versions of Windows and could allow attackers to remotely execute code on the victims’ computer.

The bug is found in the Microsoft OpenType Font Driver, and can be exploited by tricking users into opening a specially crafted document or visiting an untrusted webpage that contains embedded OpenType fonts.

“When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability,” the company said in the accompanying security bulletin.

“The update replaces a patch released last week (MS15-077),” SANS ISC CTO Johannes Ullrich pointed out. “MS15-077 had been exploited at the time the MS15-077 bulletin was released last week.”

Trend Micro has more technical details about the vulnerability, which they discovered in the leaked Hacking Team trove of data.

“The leaked documents stated that the memory corruption of atmfd.dll (an Adobe kernel module) would lead to privilege escalation on Windows 8.1 x64. This is a complete exploit which allows even an escape of the Chrome sandbox through a kernel bug; the proof-of-concept exploit code runs the Windows calculator calc.exe with system privileges under winlogon.exe,” the researchers explained.

“By exploiting this vulnerability, attackers could infect the victims’ systems with rootkits or bootkits under unexpected system privilege without any notification.”

Customers who don’t have automatic updates enabled are advised to apply the update as soon as possible. Those who can’t have several workarounds at their disposal.