Today’s VERT Alert addresses one new Out of Band Microsoft Security Bulletin. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-624 on Tuesday, July 21st.
|
MS15-078 |
OpenType Font Driver Vulnerability | CVE-2015-2426 |
MS15-078
Microsoft has released an OOB update to the Adobe Type Manager Library. ATMFD.dll (Adobe Type Manager Font Driver) contains a vulnerability when processing specially crafted OpenType fonts that could lead to code execution. This vulnerability could be exploited via a web page that embeds a malicious font. This update replaces the MS15-077 bulletin that was released just last week. It’s important to keep in mind that Windows Server 2003 support ended on Patch Tuesday and, as of now, that means that a patch for this vulnerability is not available for that operating system. Microsoft has, in the past, released an unexpected update after the end of life of an operating system (for example: Windows XP and MS14-021). As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems. Ease of Use (Published Exploits) to Risk Table:
|
Automated Exploit
|
|||||||
|
Easy
|
|||||||
|
Moderate
|
MS15-078 | ||||||
|
Difficult
|
|||||||
|
Extremely Difficult
|
|||||||
|
No Known Exploit
|
|||||||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
