Microsoft releases emergency security patch for all Windows versions
Microsoft has released an off-schedule patch for all currently supported versions of Windows. A serious vulnerability has been discovered in a font driver that could be exploited by a hacker to remotely execute code on a compromised machine.
The problem affects Vista, Windows 7, Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2008, and Windows Server 2012. Windows 10 is not at risk. Microsoft describes the issue as 'critical' and has pushed an emergency patch to Windows Update.
If you have Automatic Update enabled, things will take care of themselves, but otherwise you will have to manually instigate a download -- or you can download the relevant patch by hand. An advisory notice in the Security TechCenter warns that "the vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts".
The security hole is patched by updating the way Windows Adobe Type Manager Library handles OpenType fonts. Interestingly, Microsoft does not list any mitigating factors for this vulnerability, so the importance of grabbing the update really cannot be overstated.
The vulnerability was discovered by Google Project Zero and FireEye Inc earlier in the month, and Microsoft has acted fairly quickly to address the issue.