Microsoft patches Windows zero-day found in Hacking Team's leaked docs

Microsoft today issued an emergency security update to patch a flaw in Windows -- including the not-yet-released Windows 10 -- that was uncovered by researchers after a breach of Italian surveillance firm Hacking Team.

Microsoft today issued one of its sporadic emergency, or "out-of-band," security updates to patch a vulnerability in Windows -- including the yet-to-be-released Windows 10 -- that was uncovered by researchers sifting through the massive cache of emails leaked after a breach of Italian surveillance vendor Hacking Team.

The Milan-based vendor sells surveillance software to governments and corporations, and markets zero-day vulnerabilities that its clients can use to silently infect targets with the firm's software. Researchers have found several zero-days -- flaws that were not fixed before they went public -- in the gigabytes of pilfered documents and messages, including three in Adobe's Flash Player, since July 5.

The Microsoft vulnerability adds to the growing tally.

The Redmond, Wash. company's update, labeled MS15-078, fixed a flaw in the Windows Adobe Type Manager Library, which handles the rendering of OpenType fonts, a format co-created by Microsoft and Adobe.

Microsoft credited FireEye's Genwei Jiang and Google Project Zero's Mateusz Jurczyk with reporting the vulnerability.

"CVE-2015-2426 is a straight-to-kernel remote code execution vulnerability," a FireEye spokesman said in an email reply to questions, using the flaw's Common Vulnerabilities and Exposure identifier. "The vulnerability was leaked with the Hacking Team email breach."

FireEye added that the bug was in the way the Adobe Type Manager Library font driver -- the file "ATMFD.dll" -- parses OpenType fonts.

Microsoft classified the vulnerability as "critical," its most serious threat level, because a successful attack could hijack a vulnerable Windows device. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft's write-up said.

Cyber criminals could exploit the bug by duping victims into opening a document that included malformed OpenType fonts, or by luring them to malicious websites with embedded OpenType.

While the vulnerability had gone public before today, Microsoft asserted that it knew of no actual in-progress attacks. "[But] our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability," the company added.

"Looks as if it is 'easy' to exploit reliably, [so] that's why they are going out-of-band," said Wolfgang Kandek, CTO of security vendor Qualys, in an interview over instant message.

Microsoft may have also pulled the trigger because of Windows 10's looming launch: The operating system is to reach beta testers Thursday, July 29, then begin rolling out to customers who have "reserved" a copy of the free upgrade from Windows 7 or Windows 8.1. Sans a patch -- and with the vulnerability out -- Microsoft would have been mocked for claiming Windows 10 was more secure than previous versions of Windows.

Microsoft did patch Windows 10's preview build 10240, the code expected to be the final release and handed to testers six days ago. Computerworld triggered a manual check for updates on Windows 10 build 10240 within minutes of Microsoft sounding the alert; the PC found the update, then automatically downloaded and installed it.

Today's sudden update was the first since January, when Microsoft shut down its public advance notification service for pending security updates, including out-of-band patches like MS15-078. At the time, Microsoft said it would use other ways to communicate the urgency of an out-of-band update to customers, but it did not elaborate.

Microsoft used the Twitter account of its security response center and that group's blog to announce the availability of MS15-078 today.

The last out-of-band security update from Microsoft was in November 2014, when it issued a patch for a bug hackers were already exploiting in its Windows Server software.

The MS15-078 update can be downloaded and installed via the Windows Update service, as well as through Windows Server Update Services (WSUS) to patch Windows Vista, Windows 7, Windows RT and RT 8.1, Windows 8 and 8.1, Windows 10, Windows Server 2008 and 2008 R2, and Windows Server 2012 and 2012 R2.

Join the CSO newsletter!

Error: Please check your email address.

Tags Malware & VulnerabilitiesantispamGoogleMicrosoftsecurityFireEyeWindows 10Hacking Team

More about ExposureFireEyeGoogleMicrosoftQualysTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place