Microsoft has released an emergency out-of-band security fix for Windows, following the Patch Tuesday updates earlier this month.
The latest update (MS15-078) patches a critical flaw in how Windows Adobe Type Manager Library handles OpenType fonts. The fix is marked as 'critical' for all versions of Windows.
Microsoft explained that the vulnerability could allow remote access if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.
"Today, we released a security bulletin to provide an update for Microsoft Windows. Customers who have automatic updates enabled or apply the update will be protected," the firm said.
Microsoft has indicated that the vulnerability was discovered as a result of the Hacking Team data leak, thanking Trend Micro, FireEye and Google's Project Zero, which have all worked previously on patching zero-day flaws.
"When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers," reads the security bulletin.
"Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability."
FireEye confirmed to V3 that the flaw was uncovered as part of the Hacking Team data breach.
Recently, security company Vectra Networks detected a zero-day vulnerability affecting Microsoft's Internet Explorer (IE) 11, after scanning through the huge cache of data logs leaked from Hacking Team.
The Vectra Networks team found the previously unknown IE 11 vulnerability after discovering an email log from a third party attempting to sell off a ‘proof-of-concept’ exploit.
The email, sent on 2 June, described a newly discovered bug that crashed IE 11. The bug affects a fully patched IE 11 on Windows 7 and Windows 8.1, Vectra advised.
Wade Williamson, director of product marketing at Vectra, explained to V3 that this was only one of many critical bugs found. However, he confirmed that the latest Patch Tuesday rollout from Microsoft has fixed the problem. Vectra notified Microsoft of the bug on 9 July.
The team at Vectra is continuing to work through the leaked Hacking Team data logs to find other potential bugs.
Meanwhile, Microsoft continued to roll out fixes for Windows and Internet Explorer with its latest Patch Tuesday release, with CVE-2015-5122 and CVE-2015-5123 specifically being targeted as zero-day vulnerabilities in the software.
Meanwhile, security experts at Trend Micro have advised users to uninstall Adobe Flash.
“The Hacking Team data has been available to the public (and attackers) for just over a week, which means it is readily available to attackers,” they said.
The security company also said that users running IE 11 should update to a patched version immediately, in light of the zero-day threat.
A number of critical zero-day vulnerabilities were the focus of major fixes during this Patch Tuesday. Microsoft released 14 security fixes, including several for Windows and IE.
Four of the fixes in the Microsoft July 2015 Patch Tuesday update are marked 'critical' and resolve gaps that are currently open to exploitation by hackers.
One of the most notable fixes is the MS15-065 bulletin that patches a flaw that could allow remote code execution if a user visits a specially crafted website using IE, and affects all versions from IE 6 to 11.
"An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user," explained the advisory.
Meanwhile MS15-066 fixes vulnerabilities in the VBScript scripting engine and affects Windows 2003, Vista and Server 2008.
Another critical patch, MS15-067, contains an array of fixes for Windows, including a vulnerability in Remote Desktop Protocol that could result in remote code execution.
Craig Young, a security researcher at Tripwire, stressed the importance of the MS15-067 fix.
"This should definitely be on the top of everyone's install list. Although Microsoft says that code execution is tricky, there are a lot of smart people out there and I'm sure it won't be long before proof-of-concept code starts floating around," he said.
The last critical update, MS15-068, is for Windows versions 8 and 8.1 and versions of Windows Server 2008 and later. It patches a gap in Hyper-V that could allow remote code execution.
"An attacker must have valid log-on credentials for a guest virtual machine to exploit this vulnerability," said Microsoft.
The remaining 10 patches are all marked 'important' and fix gaps in Windows, SQL Server and Microsoft Office.
Dustin Childs, information security expert at HP, confirmed that three of the flaws are actively being exploited.
The fixes come after the end of official support for Windows Server 2003, meaning that organisations still running the software face an increased risk of security breaches.
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches