There’s a certain rich irony in the recent hack of the notorious Hacking Team. Though they self-righteously claim to be selling solutions to law enforcement, Hacking Team is an evil group of professional hackers and malware vendors. They got pwned themselves recently, possibly by disgruntled employees. It’s paid off nicely in revealing some of their slimy methods and sleazy clients (including dictators and the DEA), as well as a number of zero-day exploits they were selling on the black market.
One of these involved, of all things, fonts. Yes, even innocent-seeming type on the page can now be a weapon. If the victim opens a specially-crafted webpage or document with embedded OpenType fonts, this vulnerability would allow an attacker to elevate their user privileges, allowing them to run remote code and completely take over the unwitting victim’s machine. Leveraging the Adobe Type Manager‘s abilities to handle type, the bad guys could then install malware, view and delete or manipulate data, or create new accounts with full user privileges.
This led to the discovery of a similar flaw affecting all Windows machines that is even more critical. It also uses the Adobe Type Manager and OpenType fonts, but this is not as constrained as the previous flaw. It’s so worrisome Microsoft issued an emergency patch.
However, Microsoft seems rather blase about it: “The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.” Ho-hum, another day, another zero-day exploit patched…
But if you have not enabled automatic Windows Updates, you need to at least have your machine notify you as soon as updates become available, and to manually download them on a regular basis. And if you leave your computer on all the time, why not set it to do so automatically along with back-ups? You should sleep even more soundly.