Windows Vulnerability in Embedded Web Fonts
Microsoft released a patch today, which is January's "Patch Tuesday", for a
vulnerability in the way Windows handles fonts embedded in a webpage. The vulnerability
could allow a malicious webpage developer, or someone who has compromised a website, to
install an embedded font on a webpage such that when a user views the webpage the user's
system could be compromised, potentially even allowing a remote attacker to take
complete control of the user's PC.
[ More Info ]
WMF Vulnerability Could Allow Remote Code Execution
Code that will allow attackers to compromise a Windows-based PC using
a vulnerability in the way such systems handle images has been posted
online over the holidays. Exploitation of this vulnerability by attackers
could allow them to install spyware on a system or take complete control
The vulnerability is within software that is part of the Windows operating
system distribution. The affected software processes Windows MetaFile (WMF)
images, but an attacker need only rename an infected WMF file with a JPG, GIF,
PNG, or other common graphic file format extension to avoid any block on all
WMF files, since a Windows system will examine the contents of files with those
extensions and execute the code in them, if they are really WMF files.
An attacker can send infected images by email or put them on a website.
The mere presence of an infected file on a system can lead to the system's
infection, if file indexing software, such as Google's desktop search utility
is presence. When the file is indexed, the exploit is triggered.
More Info ]