Microsoft Issues Emergency Windows Security Patch For Remote Code Execution Vulnerability

Microsoft is plugging a security hole with a new Critical-rated security update. The patch will fix an issue in Windows and OpenType fonts that could expose users to malicious website content. So long as you have automatic updates enabled, your PC will download and install the patch, if it hasn’t already.

“This security update resolves a vulnerability in Windows that could allow remote code execution if a user opens a specially crafted document or goes to an untrusted webpage that contains embedded OpenType fonts,” Microsoft said in a statement. It deems the hole dangerous enough to have released the update ahead of its typical Tuesday patch.

The vulnerability is exploitable due to the way Windows Adobe Type Manager Library handles OpenType fonts. If you visit a webpage that has embedded OpenType fonts and you haven’t patched your system with the security update, you could open your PC to remote code execution. Microsoft announced the vulnerability (and fix) in Security Bulletin MS15-078. 

Multiple security firms claim to have discovered the vulnerability after researching the documents released into the wild when Hacking Team was itself successfully hacked. The breach of Hacking Team has already led to other vulnerabilities being exposed, including two new Adobe Flash exploits. 

The update affects Windows Vista, Server 2008, Windows 7 and Windows 8, among others. You can see the list of affected operating systems on Microsoft’s Technet site.