KB3074667 and KB3079904 Windows Updates released to fix critical security issues in all versions of Windows
Microsoft has released KB3074667 and KB3079904 Windows Updates to fix critical security issues in all versions of Windows from Windows Vista to Windows 10.
In my previous write ups from last week, I have mentioned how Adobe Flash Player was affected by severe vulnerabilities which resulted in a security firm being hacked, and several hundred Gigabytes of data being stolen from the firm.
This resulted in the Flash plugin being blocked by Mozilla Firefox browser, by default. Adobe drew a lot of flak for the security holes, which were not found by the company before the attacks happened. Facebook’s Head of Security, called for Adobe to end support Flash. This was followed by Adobe releasing a second set of fixes, which fixed even more vulnerabilities.
Recently, Microsoft rolled out a cumulative Windows Update for Windows 10 Build 101240. The knowledge base article revealed that Microsoft had patched security issues related to Adobe Flash Player in its browsers Internet Explorer, and Microsoft Edge. The Redmond Company was also criticized for patching issues very slowly, while Google patched its browser Chrome’s built in Flash Player rather quickly.
And today’s updates from Microsoft also plugs some more major security holes, and you don’t get any prizes for guessing which software vendor’s products have been patched. Yes, it is once again Adobe related.
According to Microsoft Security Bulletin MS15-078, this time the security holes were found in OpenType Fonts, used by Windows Adobe Type Manager. This flaw allows an attacker to execute a remote code to takeover the system.
This is what the statement from Microsoft’s Bulletin says:
An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft also kind of defends the delay in fixing the issue indirectly by saying:
When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.
Microsoft also clarifies that workarounds such as disabling a component like ATMFD.DLL could break applications, i.e., they wouldn’t function properly if they use OpenType fonts. Windows does not come with OpenType fonts, but third-party apps could install them and may be affected by this workaround.
This is why the Redmond Company has released updates to fix the issues without impacting other apps.
There is one more surprise here, and its rather nasty. The Microsoft Security Bulletin does not mention the security hole in Windows 10 at all. Its as if the latest operating is safe from danger. But its not, Info World reports that KB3074667 is related to Windows 10, while KB3079904 is related to other versions of Windows, from Vista to 8.1.