Microsoft addresses critical RCE vulnerability in all versions of Windows
Microsoft on Monday released security updates for all supported releases of Windows – including Windows 7, Windows 8, Windows 8.1 and Windows Vista – to address a critical OpenType font driver vulnerability.
If successfully exploited, the remote code execution (RCE) vulnerability – CVE-2015-2426 – can enable an attacker to take full control of the affected system, a security bulletin indicated, explaining that the attacker could install programs, change or delete data, and create accounts with full user rights.
“There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts,” the security bulletin said.
Microsoft indicated it has information that the vulnerability was public prior to the security bulletin being issued, but not that it was used against customers.