It appears that Adobe just can't catch a break. Just days after a series of zero-day flaws in Adobe Flash were uncovered from the Hacking Team leak they have been linked to a new vulnerability, this time in Microsoft's OpenFont implementation.The OpenType Font Driver Vulnerability - CVE-2015-2426 - is described as the following:
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.
When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.
SOURCE: https://technet.microsoft.com/library/security/MS15-078#ID0EKIAE
There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.
When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.
SOURCE: https://technet.microsoft.com/library/security/MS15-078#ID0EKIAE
Windows Update KB3079904 was deployed earlier today to address the vulnerability, and will have been installed automatically on most systems. Checking Windows Update manually to ensure that the update was applied is sensible, and if not Microsoft advise that you apply it yourself.
It's not clear how this vulnerability was discovered. More information, including work-arounds where necessary, can be found at https://technet.microsoft.com/library/security/MS15-078#ID0EKIAE.
