Microsoft Issues an Emergency Update to Patch a Vulnerability That Affects All

Microsoft released an emergency patch on Monday, July 20, that addresses a security flaw in the font driver of Windows machines. The company typically issues security updates once a month on what is known as Patch Tuesday, but this out-of-band update indicates just how serious this security flaw is.

Microsoft is bringing back the Start menu in Windows 10, and that’s quite a big change for those who wanted a more familiar desktop, but it turns out that Redmond is also looking to introduce this feature on Windows RT, its almost-abandoned version of Windows 8 running on ARM tablets.

Microsoft issued an advisory about the vulnerability. The bug, if exploited, allows hackers to remotely execute malicious code on Windows computers. Instead, Microsoft is working to introduce the original Start menu offered in the first Windows 10 preview builds, as there are a number of limitations created by the new APIs. It thanked security firm FireEye and over enthusiast hamsters at Google’s Project Zero. Large organizations using the operating system could be at risk if any member of their organization clicks a phishing link, which could even be a spoof of a normal website the user accesses, but backed with a modified font that contains the malware.

The patch that Microsoft pushed out today patches the vulnerability on all supported systems. Alternatively the victim could be redirected to a website with embedded OpenType fonts.

The vulnerability itself exists in OpenType, a font format co-developed by Microsoft and Adobe. Furthermore, the attacker could create new accounts on the victim’s computer and provide them with full user rights.

The easiest way to close the security hole is to use Windows Update to install the patch.