Microsoft has released a rare, out-of-band patch to resolve a Windows zero-day vulnerability that could allow for privilege escalation or remote code execution.
MS15-078 has been added to the list of patches released as part of last week's Patch Tuesday. The vulnerability is found in how the Windows Adobe Type Manager Library handles OpenType fonts and can be exploited with a specially crafted document or by luring a victim to a malicious Web site.
The patch has been released for all supported versions of Windows. However, Mooney Li, threat analyst for Trend Micro Inc., noted in a blog post that "the fixes in this bulletin supersede those in MS15-077, which included Windows Server 2003 -- which is not a part of this patch. Therefore, it is likely that the now unsupported server OS is also at risk."
If Windows Server 2003 is affected by this vulnerability, it would pose a serious risk to enterprises that did not finish upgrades before last week's end-of-life deadline.
According to Robert Brown, director of services at Verismic Software Inc., "There are already reports coming in that this vulnerability is being actively exploited, so IT managers should be designing their repair strategy as their highest priority.
"What will probably give the IT manager the largest headache is that this update requires a reboot in order to become effective," Brown said. "For large, disperse environments, the reboot can be the hardest thing to achieve without receiving negative perception from users – and even with the patch installed, unless you reboot, you are still exposed, so a forced reboot is critical."
