Due to a critical OpenType font driver vulnerability affecting every version of Windows ever, Microsoft has released an out-of-band emergency update to address this huge issue (emphasis added):
“This is a complete exploit which allows even an escape of the Chrome sandbox through a kernel bug; the proof of exploit code runs the Windows calculator calc.exe with system privileges under winlogon.exe,” Trend Micro researchers explained in a blog post.
“There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts,” Microsoft’s advisory (MS15-078) explained.
While Microsoft said the vulnerability was public, the software giant said it did not have any details indicating that the flaw had been exploited to attack customers. However, Microsoft warned that exploit code could be created in such a way that “an attacker could consistently exploit” the vulnerability.
Microsoft customers that have automatic updating enabled should already be protected, as the update will be downloaded and installed automatically. Users who do not have automatic updating enabled, or who install updates manually should install the update, with information on doing so manually available online.
Microsoft also provided information on workarounds for various versions of Windows.
Get those Windows machines patched ASAP or risk potential compromise.