Microsoft issues emergency Windows patch for font attack

Microsoft has been forced to issue an emergency patch for all currently supported versions of Windows after hackers found a way to take remote control of computers by getting users to download infected fonts. The fix covers all versions of Windows released since Vista, including the Windows 10 Preview. 

Microsoft reserves emergency patches for the most serious of flaws, normally fixing even “critical” bugs in the regular monthly update. Microsoft’s move to shut down this flaw suggests that it knows an attack is imminent, although the company’s security bulletin states that it “did not have any information to indicate this vulnerability had been used to attack customers” at the time of writing.  

This specific attack concerns the way Windows Adobe Type Manager Library handles OpenType fonts. “The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts,” Microsoft’s bulletin states. Microsoft says that hackers could take complete control of the user’s system, allowing them to “install programs; view, change, or delete data; or create new accounts with full user rights”.

The emergency patch is being pushed out via Windows Update, which means the fix will be installed automatically, unless you’ve taken the precarious decision to check for updates manually. 

Given that the flaw affects every currently supported version of Windows, including Windows RT and Windows Server, it’s highly likely the bug will also reside in Windows XP, for which Microsoft no longer issues security updates. Users of Windows XP systems will therefore remain vulnerable to the attack, unless their security software can detect and quarantine the malicious font files.