All supported versions of Windows are affected
In a rare move, Microsoft has issued an out-of-band (read: emergency) security patch for Windows to address a zero-day vulnerability that could allow a hacker to take control of a system remotely. The security threat and subsequent patch affect all supported versions of Windows, including Windows 10.
"The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts," Microsoft stated in a security bulletin.
Left unpatched, Microsoft says an attacker who takes advantage of the exploit could take complete control of a system and proceed to "install programs; view, change, or delete data; or create new accounts with full users rights."
What's more, an attacker has multiple avenues to exploit the vulnerability. One such way is by convincing a user to open a specially crafted document, while another option is getting a user to visit an untrusted webpage that contains embedded OpenType fonts.
The vulnerability was discovered by researchers who combed through numerous emails that were made public after Italian security outfit Hacking Team was itself hacked, ComputerWorld reports. Specifically, Microsoft gives credit to FireEye's Genwei Jiang and Google Project Zero's Mateusz Jurczyk for reporting the vulnerability.
Hacking Team makes a living by selling surveillance software to governments and corporations around the world. It also sells zero-day vulnerabilities, such as the three in Adobe Flash Player that prompted Mozilla to disable the software by default in its Firefox browser.
If you have automatic updates enabled, Microsoft says you're all set. This also underscores why Microsoft is forcing automatic updates on Windows 10 Home users, though Windows 10 Pro users will have the option of putting off updates for up to eight months.
Follow Paul on Google+, Twitter, and Facebook
From maximumpc
from http://bit.ly/1OuUs8w
