Emergency Microsoft Security Patch Issued Monday

Just one week before Microsoft’s newest operating system is released, a security flaw has already been discovered that affects all current versions of the Windows OS including the company’s latest addition, Windows 10. Microsoft issued an emergency security fix on Monday that has been classified as “critical” due to the severity of the vulnerability. An exploit has been discovered that essentially affords hackers complete access to a victim’s computer. According to an online security bulletin posted by Microsoft on Monday, this vulnerability allows hackers to take “complete control of the affected system.” This particular vulnerability allows hackers to install, view, change, and delete data or create new accounts with full administrative privileges.

The most noteworthy aspect of this vulnerability is that it affects all current Windows users operating machines running Windows Vista, Windows 7, Windows 8 (and 8.1), Windows RT, and even Windows 10. To put this into perspective, this single vulnerability affects two out of every three of nearly 1.5 billion Windows PCs around the world. This vulnerability is so dangerous that Microsoft issued an emergency update – opting not to wait until the normally scheduled monthly updates colloquially referred to as “Patch Tuesday.” The significance of this emergency patch cannot be overstated because Microsoft last issued an emergency patch in November 2014. According to Microsoft’s statement, a hacker can attack an unsuspecting Windows user by luring them into opening a specially-crafted email attachment or visiting a compromised website. This is possible because this vulnerability targets OpenType – a heavily used format that allows computers to render special fonts. OpenType was created as a joint effort between Adobe and Microsoft.

microsoft and adobe opentype critical patch

Interestingly enough, this vulnerability was originally discovered as a result of the already well-published breach of the Italian surveillance crew known as the Hacking Team; a breach that occurred earlier this month. Microsoft also indicated that the flaw was originally discovered by the Swedish security firm FireEye – spearheaded by Genwel Jiang and Mateusz Jurczyk; two researchers who are a part of Google’s Project Zero security squad.

This newly discovered remote code execution vulnerability exists in all versions of Microsoft Windows whenever the Windows Adobe Type Manager Library improperly handles specially-crafted fonts based on the OpenType platform.

Although Microsoft has classified this vulnerability as critical, there is no evidence that the vulnerability has been exploited in the wild as of this writing. The security patch that addresses this issue is already available to all Windows users. For system administrators who are not ready to update systems at this time, a workaround also exists that will eliminate this threat from being exploited. For Windows 8 systems, a simple registry change will disable ATMFD altogether; thus preventing this vulnerability from being exploited. In the Registry Editor, navigate to HKLM\Software\Microsoft\Windows\ NT \CurrentVersion\Windows\DisableATMFD and change the DWORD value to 1. If this sub key does not exist it can be created. Once changes to the registry are complete, restart the system. For other versions of Windows, this exploit can be prevented by changing the name of the ATMFD.dll file where the vulnerability actually resides. This can be accomplished at the administrative command prompt using the following commands:

cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

If either of the two options above are used as a temporary workaround, keep in mind that applications relying on embedded font technology will not display properly. Some applications may not work at all if the application relies heavily on the use of OpenType fonts. News of this critical flaw comes only one week before Microsoft releases its next big operating system overhaul - Windows 10. All current Windows 7 and Windows 8.1 users will be able to download and upgrade to Windows 10 for free starting on Wednesday, July 29. Interestingly enough, Windows 10 has new security features including Device Guard; a software tool designed to prevent the type of attack presented by this vulnerability. Another new feature of Windows 10 is known as Windows Hello; a biometric security tool that allows users to add face, fingerprint, or iris recognition to the PC as an added layer of security and protection.

microsoft opentype critical update

Despite these additional security features, the OpenType vulnerability affects the latest test version of Windows 10 - a version that is widely believed to be the final iteration of the new operating system prior to its release to the general public next week. Keep in mind that Microsoft has already issued a security patch to correct the way in which the Windows Adobe Type Manager Library handles OpenType fonts. This update will be pushed to all affected Windows operating systems throughout the week and has already been patched in the upcoming Windows 10 release according to a Microsoft blog post on the subject.

To ensure that all of your PCs receive the update, confirm that automatic updates are enabled, accept the updates, and restart after installation as soon as possible.

The critical nature of this vulnerability, combined with the recent public statement about how the vulnerability works, means that many hackers will be looking to capitalize on this flaw by targeting systems that have not yet received the security patch. Although this vulnerability is not caused by malware, if a hacker is able to exploit a system using this flaw, that individual could install many forms of malware on the machine without the knowledge of the owner. For this reason, ensure that all third-party applications are updated regularly and confirm that a valid antivirus program is installed and regularly updated to protect against some of the malware strains that could be installed on the PC as a result of this attack.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal