Microsoft has issued an emergency security update to patch vulnerability in several versions of Windows including the upcoming Windows 10. The security vulnerability was highlighted by an email unearthed post the hacking attack on the Italian Surveillance vendor Hacking Team.
Hacking Team is known for exposing zero-day vulnerabilities, the loopholes in software which are unknown to the vendor. The loopholes are further exploited by the clients to discreetly inject the target with their software. As a matter of fact, the researchers have also found out several zero-days in the deluge of leaked e-mails since last month.
The company’s update labeled MS15-078 has fixed a flaw in the rendering of OpenType fonts which is jointly created by Adobe and Microsoft. The loophole can be exploited by hackers to hijack the PCs, take complete control of the programs and also infuse malware. Thanks to the vulnerability, any user who opens a document or a webpage containing the malicious OpenType font can be attacked.
The Redmond Company had termed the attack as “critical”, which ironically is the highest degree of threat level assigned to vulnerability. On the contrary, Microsoft claimed that it was oblivious to the security breach and any in-progress attacks. The vulnerability would pave way for the hackers to install programs, fiddle with the data and also create new accounts with full user rights. All this at a time when Windows 10 will be reaching the Windows Insiders on July 29 and will make way next month to the users who have reserved their free copy as well as those purchasing new ones.
Genwei Jiang from FireEye and Mateusz Jurczyk from Google Project Zero were the first ones to report the vulnerabilities. A FireEye spokesman told Computerworld that “CVE-2015-2426 is a straight-to-kernal remote code execution vulnerability” and further added that “the vulnerability was leaked with the Hacking Team email breach and the bug was in the Adobe Type Manager font driver file.”
The Italian Vendor Hacking team has been facing wrath from the authorities after it was caught negotiating with a third-party reseller in a bid to export its malware to Nigeria by-passing the Italian export controls.