Microsoft has published details about a vulnerability (MS15-078) that allows a "remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts". Microsoft has deemed this alert Critical and has offered a security update for all supported releases of Microsoft Windows, however, most users will have already received the update if automatic updates were enabled on their workstation.
So what is OpenType® font anyway? OpenType is a font that works across Adobe and Windows platforms. With OpenType fonts users have the ability to utilize Adobe's larger font library. The security update acknowledges the vulnerability by fixing the way in which the Windows Adobe Type Manager Library uses OpenType fonts.
The good news is that so far there has been no known attack made with this vulnerability. The initial flaw was discovered by two engineers from Google's Project Zero and Microsoft has acknowledged their discovery which has allowed Microsoft to mitigate risk and get ahead of the vulnerability for its users.
We expect Project Zero will make future discoveries, and encourage all users to be informed. To stay up to date on the latest news about information security and compliance subscribe to our blog today.