Critical out-of-band patch issued for Windows zero-day

Microsoft has issued an urgent patch to fix a flaw rated as critical in its Windows desktop and server operating systems which could lead to full system takeover.

The CVE-2015-2426 vulnerability stems from the Windows Adobe Type Manager Library incorrectly handling OpenType fonts. It is one of several vulnerabilities that came to light after spyware vendor Hacking Team suffered a large scale data breach that saw over 400 gigabytes of corporate data leaked.

Attackers could trick users into opening documents or web pages that contain specially crafted OpenType fonts and remotely take complete control of vulnerable systems, Microsoft said.

All current versions of Windows from Vista to 8.1, as well as Server, are vulnerable to the exploit. Microsoft is quickly pushing out a patch to fix the vulnerability through Windows Update as exploitation of the flaw is "likely", the company said.

Just last week Microsoft warned about another, font-related security issue in the MS15-077 security bulletin.

The earlier vulnerability concerned the Adobe Type Manager Font Driver (ATMFD), which did not properly handle objects in memory. 

Attackers could log onto systems with unpatched ATMFD.DLL files and execute a malicious application to obtain privilege escalation and take complete control over vulnerable computers, Microsoft said. That flaw, CVE-2015-2387, is currently being exploited, Microsoft said.

Genwei Jian of security vendor FireEye and Mateusz Jurczyk from Google's Project Zero are credited with finding the OpenType Font Driver vulnerability.