On Wednesdays we wear pink, and on Tuesdays Microsoft pushes big patch packages to correct problems. But Thursday the company disclosed a vulnerability in its system for displaying custom fonts and Monday the company released a patch in its security bulletin. Since neither of those days were Tuesdays, you know that this is serious. Also, Microsoft is calling the update “critical,” so that might also be a tipoff.
Researchers looking through documents leaked in the breach of Hacking Team, an Italian company that sells surveillance technology, discovered a vulnerability in the Windows Adobe Type Manager Library. Basically if you open a document or Web page that has custom fonts built to exploit the flaw, a bad actor could run code of their choosing on your computer. That would be bad!
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The patch applies to all supported versions of Windows (Vista on) plus as yet unreleased Windows 10. If you have automatic updates set up on your Windows machine, the patch has probably already been applied without you noticing, especially because it doesn’t require a restart. But if you keep automatic updating off or you want to be sure, you can download the patch here. Do it.