As we were reading over the descriptions from Sophos of the latest security patches released this week from various vendors, we were struck by one Microsoft patch in particular. Apparently a flaw was discovered in a particular type of font that would allow remote code execution. All it would take to exploit this flaw would be to craft a malicious font and get users to view a website showing the font. You can read the details of this specific vulnerability here. You may also be interested in Microsoft’s description of the patch.
That’s it. You view the website, it shows the font. The malicious font, rendered by your browser, causes bad code to run. If that’s not enough to make your blood run cold, it should be. Imagine if some malicious site were tied into some facebook scam like the recent “facebook stalker” one, or how about the “number of profile views” one. Perhaps a specially crafted email fooling you to go to a malicious page.
This is another perfect example of why you need to be diligent about updating your virus and malware software often and making sure your software security updates are done. Make sure automatic updates is turned on. Set it to prompt you with updates if you don’t want it installing automatically. Don’t ignore that icon though. Watch for updates from your other software vendors and install them.
Windows isn’t the only one with security flaws. Adobe has released critical updates affecting it’s reader product this round too.