Broken Windows: Microsoft Issues Emergency Patch

Windows 10-cycle

Microsoft has issued an emergency security update for its Windows operating systems. The update is to prevent hackers taking “complete control” of your computer system using a vulnerability relating to OpenType fonts. It’s serious stuff hence the emergency fix.

In a security bulletin issued on Monday Microsoft states:

“A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Microsoft note that although the vulnerability was public they “did not have any information to indicate this vulnerability had been used to attack customers”. You should probably run Windows Update asap, however.

All supported versions of Windows are affected (Vista, 7, 8, 8.1 and RT as well as the test version of Windows 10). Older and other versions may also be vulnerable but are outside Microsoft’s support remit, so you’ll have to cast further afield to find a solution if you’re a die-hard XPer.

So, what to do?

If you have automatic updating switched on then you shouldn’t need to do anything because the fix will be installed as part of that process. If you take a manual approach and haven’t updated yet – or for any reason cannot – you can find instructions on how to patch the OS up yourself on the Affected Software bit of the bulletin.

47 Comments

  1. TheAngriestHobo says:

    Well, crap. I went and turned off Windows Update when I booted up my computer because I figured the patch could wait until I was busy, but this sounds serious. Now I have to spend 10 minutes not playing CK2.

    • Solidstate89 says:

      Why the fuck would you ever turn off WU? Just set it to “Download Updates and Let me choose when to install them.”

      • TheAngriestHobo says:

        When I say “turned off”, I mean “temporarily disabled through command prompt”. Not turned off permanently. It starts right back up next time you boot up, or sooner, if you choose to restart it. It’s a safer way of circumventing the 4-hour maximum delay on Windows Update than your suggestion.

        • Solidstate89 says:

          In what way is it safer? With that setting you literally don’t have to install anything until you manually go in there and tell it to. And it has the advantage of most likely having already downloaded the updates, so it saves you time when you do choose to install them. Your method of using the CMD doesn’t offer any advantages at all.

          Besides, it’s all a moot point if you upgrade to Windows 10 as ever since Windows 8 launched, you’ve had 3 days to restart your machine as MS finally removed the 4 hour limit. Which – again – if you just use the setting above isn’t an issue at all.

          • TheAngriestHobo says:

            I’ve got limited free time, so I’ll be brief.

            A) I’m running Windows 7, not Windows 10. I still have the 4-hour limit.

            B) By the time I’m alerted to the update, it’s been downloaded and is waiting to be installed.

            C) With my method, the computer is only reliant on me to disallow a specific update, not to allow it. Since I often boot up my PC and go do other things in the morning, most updates are installed as soon as possible. There’s only ever a delay if I have something else I want to squeeze in early in the morning.

            D) Chill out and stop fretting about how I run my rig.

          • Kitsunin says:

            To put it simply, the advantage is this:

            If you aren’t using the computer, it automatically restarts and installs the update, no bother.
            If you are, or you have something important open, you’re only temporary disabling the updater, so you won’t have to worry about the computer pestering you or worse, shutting down when important stuff is open.

          • SuicideKing says:

            Wait – is that “postpone” dialogue not present in Windows 10 either?

          • anHorse says:

            You can’t opt out of updates on windows 10 (or roll them back) without the pro version

            Which is fun when you get a broken update

          • Premium User Badge

            Phasma Felis says:

            “You can’t opt out of updates on windows 10 (or roll them back) without the pro version”

            Can someone confirm if this is true for the release version? I know the tech-preview version enforced updates, because you don’t want people submitting bugs that you already fixed, but I hadn’t heard that the release version continues that.

        • Xiyng says:

          It sounds like you aren’t familiar with the trick that allows you to stop just the automatic restarts and the continuous nagging about restarting your computer. Because, you know, it exists. I don’t even remember when I’ve last seen that restart prompt on my PC.

      • ansionnach says:

        Turning it off makes perfect sense if you have a very limited internet connection.

  2. Gap Gen says:

    “The update is to prevent hackers taking “complete control” of your computer system using a vulnerability relating to OpenType fonts.”

    H… how?

    • LTK says:

      I don’t know the long answer, but the short answer is that programming sucks.

      • thelastpointer says:

        That was amazing

        • deiseach says:

          Why would anyone tunnel under Mordor when they could just ask the eagles to fly over?

          Yes, that was cool.

          • Tei says:

            That will work once, but is a lot of manually work. What if you want to visit Mordor every week? What if Orks start working in Rivendel industries, but they have to return the week-end to Mordor to have quality time with their families?

            Its better to have a system where you can buy specialized butterfly that can live in your pockets. Every time you need to travel to mordor, you free one of these butterfly that will fly high, eagles will notices these and fly down following the butterfly scent to the originator, pick him and release him in mordor.

            In mordor and rivendell you will have butterfly vendors that will provide these for a price. They will adquire the butterfly from the eagles, they will trade the butterfly for food.

          • deiseach says:

            @Tei

            On second thoughts, let’s just use a sleigh pulled by rabbits.

      • Gap Gen says:

        Yeah that’s a pretty good summary of how commercial code works as far as I’m familiar with it (academic code is generally worse but on a smaller scale with fewer bureaucratic hurdles, and actually the commercial code I saw was written by C programmers writing C++ over a couple of decades that they then let a summer student (me) loose on).

      • LionsPhil says:

        It’s a classic.

      • TillEulenspiegel says:

        Practice safe programming, kids. Just use Rust.

        • Gap Gen says:

          That works fine until someone builds a fence around your house and locks you in while you’re asleep.

    • Tacroy says:

      Adobe is the answer. If you look at it, Microsoft is actually issuing a patch for an Adobe component.

      • Solidstate89 says:

        Incorrect. Adobe and MS worked together when they built the OpenType fonts, but Microsoft has been in complete control of them for roughly a decade now. Apple also has OpenType fonts available in their system, as they were officially forked from Adobe; with their permission.

        Adobe hasn’t had anything to do with these font systems in 10 years or more.

      • Tei says:

        Probably fonts are designed to have too low level for performance sake. Weirdly, they are also classified as programs, or so I have heard (is probably wrong).

    • Premium User Badge

      Harlander says:

      Has anyone been interested enough to find out what the deal behind it was? My money’s on a buffer overflow or underflow, one of the classic vulnerabilities that basically lets you overwrite bits of a running program with whatever the hell you want.

      • Premium User Badge

        Don Reba says:

        Here is an overview: link to blog.trendmicro.com

        It is a memory corruption error — an out-of-boundary write. There is a driver handling OpenType fonts. When handling some low-level font structures, due to a bug, this driver can be asked to overwrite a GUI object. This corrupted object can then execute additional code embedded as data in the font. Drivers run with the highest privileges, so this compromises the system completely.

  3. iainl says:

    So we can add “Font Format” to “Document Reader” in the list of things Adobe can’t even write without turning it into an attack vector? Blimey.

  4. zenmumbler says:

    Can you change the desktop picture of that Windows 10 News Headline Picture™ now and then? Maybe provide alternate generic Windows desktop screenshots as DLC? Just throwing out ideas here. That bicycle has run its course, I feel.

  5. guidom says:

    this can’t be real, it all sounds a bit too fontastic

    • AriochRN says:

      Just to be safe, I’m going to follow their instructions to the letter

    • Solidstate89 says:

      There’s a long history of fonts being used as attack vectors, across all OSes. They’re generally stored as bytecode to allow the kind of scaling and formatting required here in the modern world.

      That means they’re as much as an attack vector as anything else.

      • zenmumbler says:

        Comic Sans, especially, is an attack vector on common decency.

      • LionsPhil says:

        There’s also the more simple angle that they’re data that needs to be parsed, which can come from passively viewing web pages now that CSS Web Font support is a thing, and every parser contains at least one exploitable vulnerability, no exceptions.

      • eclipse mattaru says:

        Cool story. Also, I’m pretty sure he was starting a pun thread.

    • gunny1993 says:

      It’s all magic to me, better use spellcheck

    • AriochRN says:

      Sometimes the Type of post on RPS poses a difficult question: is it APunType that Abodes here?

  6. blind_boy_grunt says:

    “The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts. ”
    …visiting a website. I love computers.

  7. Lord Custard Smingleigh says:

    Bah, I don’t even have complete control over my own computer. This patch has removed my last chance to exert any kind of influence at all over its actions!

  8. LionsPhil says:

    I’m not sure why this is any more newsworthy that any other out-of-usual-Tuesday-routine security update, especially as it’s late relative to Windows Update’s own notifications?

    • Jelly says:

      Article quota to meet, or maybe they thought the title was exciting enough to make people click their RSS feeds – it worked for me.

  9. fish99 says:

    I’m not leaving the house until this is….. oh it’s fixed.

  10. Chaoslord AJ says:

    Should be worth noting that this exploit is already in use and found in the inventory of infamous company “hacking team”.
    Those guys apparently legally sell spyware to dictatorships but their whole exploits were brought to public when someone well “hacked” them. Hope there’s a hell for them somewhere.

  11. WiggumEsquilax says:

    You see, this is why I don’t install alpha operating systems.