Microsoft today released an emergency out-of-band critical update KB3079904 for Windows Vista and higher today (including Windows RT and Server). Make sure to run Windows Update manually as soon as possible if you don’t have automatic updates turned on and make sure your system is patched.
According to Microsoft: “This security update resolves a vulnerability in Windows that could allow remote code execution if a user opens a specially crafted document or goes to an untrusted webpage that contains embedded OpenType fonts.”
The Microsoft Security advisory site provides additional details:
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft says it’s not aware of any customers being attacked yet, but because it released this patch today, the company appears to feel it’s potentially a serious problem.
If you’re an IT admin, read the Microsoft Security advisory page for details about workarounds you can use if it’s not possible to roll out the patch throughout your company system.
Remember, if you’re still running XP for some reason, you are out of luck for this patch. In fact, you shouldn’t be running XP anyway, at all, it’s a security disaster waiting to happen.