Microsoft plugs gaping security hole with KB 3079904, KB 3074667

It’s a critical patch for all versions of Windows, including Windows 10, covering yet another OpenType font problem

Microsoft plugs gaping security hole with KB 3079904, KB 3074667
Credit: David Shankbone, CC BY-SA 3.0, via Wikipedia

A new critical patch, MS15-078 / KB 3079904, replaces a similar patch, MS15-077 / KB 3077657, that was released last week. They tackle a hole in the Adobe Type Manager font manager that can be exploited when you just look at a Web page or open a document with a compromised embedded OpenType font. Once the remote code execution hole is breached, "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The alternate name for the patch, KB 3074667, applies to Windows 10 Technical Preview build 10240.

Microsoft goes on to say:

When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.

There are several manual workarounds, if you're worried about installing a(nother) kernel patch, but they're pretty drastic:

Applications that rely on embedded font technology will not display properly [after applying the manual workarounds]. Disabling ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.

The Windows 10 patch, in particular, brings along some non-security baggage:

Additionally, this update includes non–security-related changes to enhance the functionality of Windows 10 through new features and improvements.

It's not at all clear what other changes to Windows 10 functionality are coming along for the ride.

Gregg Keizer at Computerworld has a scathing review of Windows 10 updates, posted this morning, that certainly applies to this bundled security-and-unidentified-non-security update.

Remarkably, last week's KB 3077657 has had few problems. That's rare for an OpenType patch. Perhaps we'll get equally luck with this week's patch.

I also found it curious that Microsoft's using the term "out of band." In this new world of Windows as a Service, I'm not sure "out of band" has any meaning. That said, it certainly accurately describes this patch, which arrived on a Monday, not a Tuesday.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies