Microsoft has four different levels for classifying vulnerabilities in an operating system. Most of them aren’t of huge concern, and the fixes are bundled into a weekly update. Sometimes, though, Microsoft has to sound the air raid sirens with a critical severity security flaw, in this case one that affects every version of Windows, and could mean losing complete control of your system.
The exploit, which is fondly referred to as MS15-078, takes advantage of the method in which the system handles third-party fonts. The attacker uses a file or website with a special font embedded in it, and when the system attempts to draw the file, it causes a back door in the code that gives the attacker unfettered access to the system.
Once inside, they can install malicious software, view and change data, and even create an administrative user account without you knowing they’re there at all.
As far as Microsoft can tell, or is willing to admit, no users have been attacked using this method yet, but it was out there in the wild. News of the flaw comes courtesy of the Italian software company Hacking Team, whose software and clients were recently hacked by another group and shared on Twitter. The details of the flaw were uncovered in the shared files by members of a number of different infosec groups, including FireEye and Google’s Project Zero.
The hack affects Windows 7, 8, 8.1, RT, RT 8.1, and Servers 2008 through 2012 R2. The home versions of Windows have already been issued automatic updates, while server users will have to download and patch the issue themselves.
You can also find more detailed information, along with command-line workarounds if you want to seal the leak by hand. The latest Insider Preview for Windows 10 is said to be affected as well, but no patch has been issued, so if that’s you, be careful where you click.
- Microsoft’s latest Windows 10 patch will address Spectre Variant 2 CPU flaw
- Microsoft’s Windows 7 Meltdown update granted access to all data in memory
- Hackers can bypass the Windows 10 S lockdown due to security flaw
- AMD is working on fixes for the reported Ryzenfall, MasterKey vulnerabilities
- Microsoft misses another Edge-related 90-day security disclosure deadline