On July 20, Microsoft issued a sporadic emergency security update to secure a vulnerability affecting all of the current forms of Windows software.
This update was released after the vulnerability was found in a massive cache of emails illegally seized and leaked from Italian IT security company Hacking Team.
Hacking Team, which provides surveillance software to governments and corporations, was subject to an attack earlier this month in which cyber thieves gained 400GB of data from the company, including information on many currently exploitable insecurities in widely-used software.
The new Windows update in question remedied an issue with the Windows Adobe Type Manager Library, as to how the Adobe Type Manager Library font drive analyzes OpenType fonts.
While Microsoft claims there have been no attacks exploiting this particular vulnerability so far, the reality of this weakness’s capacity for allowing wrongful parties to access critical information and control of otherwise secure systems cannot be understated:
- Microsoft classifies the vulnerability as “critical”.
This is their most serious threat level, because a successful attack could entirely compromise a Windows device.
- This vulnerability could grant hackers total control of the device in question.
“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” as stated in Microsoft’s update on the leak.
- It provides a relatively simple process for hackers to take advantage of unsuspecting users.
Hackers could exploit the bug by having victims open a document containing malformed OpenType fonts, or by taking them to malicious websites with similar content.
- Even industry experts recognize the simplicity of exploiting this issue.
“Looks as if it is ‘easy’ to exploit reliably, [so] that’s why they are going out-of-band,” said Wolfgang Kandek, CTO of security vendor Qualys, to computerworld.com.
- The vulnerability is even found in unreleased software.
This flaw was found in Microsoft’s upcoming Windows 10 OS, which is starting beta-testing as soon as July 29.
This updated (labelled MS15-078) can downloaded and installed using the regular Windows Updated Service, but you can do more to guarantee the safety of your company’s software! To learn more about protecting your business from software vulnerabilities, contact Effortless 24/7 at (248) 681-7722 or email: firstname.lastname@example.org