Microsoft rushes out patch to secure against new Hacking Team exploit

Another day, another patch against security flaws supposedly exploited by Hacking Team

Microsoft has rushed out another out-of-band patch for Windows to secure a flaw exploited by Hacking Team, the hacked Italian software company that provided surveillance software to companies around the world.

It follows a patch incorporated into its regular 14th July Patch Tuesday release, which patched an elevation of privilege flaw in Windows that Hacking Team had been exploiting in order to help clients propagate the company's malware. It is the latest zero-day security flaw to be uncovered by an analysis of the code released when Hacking Team was hacked just over two weeks ago.

"The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts," explained the Microsoft security bulletin. The flaw is applicable to Windows Vista, Windows 7 and Windows 8, as well as Windows Server 2008 and Windows Server 2012.

Microsoft claims that there have been no reports of the flaw being exploited in the wild. "When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers," the security bulletin continued.

That claim, though, has raised some eyebrows among security specialists.

"Today's out-of-band patch, MS15-078 addresses CVE-2015-2426, a bug in the OpenType Font Driver that can lead to remote code execution on effectively all Windows client systems. While this driver, atmfd.dll, handles the font rendering in some Adobe products, it's shipped and signed by Microsoft, and has been for quite a while," said Tod Beardsley, a security engineering manager at security services company Rapid7.

He continued: "Because this exposure is in a font renderer, the most common attack scenarios involve an attacker luring a victim to a malicious or compromised website, or enticing a victim to open a malicious attachment.

"Since Microsoft has stated that they have no indication that this vulnerability was used to attack customers, it begs the question, why release an out-of-band patch in the first place? This is an unusual move for Microsoft.

"In any case, users are encouraged to update their Windows clients as soon as practical, and failing a patch and restart, disabling this font rendering service entirely by following the detailed instructions in Microsoft's article, MS15-078."

Microsoft classified the vulnerability as "critical", its highest threat level, because the vulnerability could be used to hijack a targeted PC.