Microsoft out-of-band patch MS15-078

Although Microsoft has announced that with the release of Windows 10, they will be going to a more continuous patch release cycle rather than saving up a month’s worth and unleashing them all on us once a month on Patch Tuesday, they’re currently still adhering to the second-Tuesday-of-the-month schedule – except, that is, when a vulnerability comes along that the company deems to be so serious that it’s necessary to put out an “out of band” patch immediately.

That’s what happened yesterday, on July 20. While most of us in the IT biz were dealing with yet another manic Monday, we had a little more added to our plates by the unexpected appearance of MS15-078 (KB3079904), which is intended to address a critical vulnerability in the Microsoft font driver that could allow for remote code execution.

The update fixes a single vulnerability by which an attacker can remotely execute code, thus taking control of a system, if a user can be convinced to open a document or visit a web site that contains OpenType fonts. The problem is that Adobe Type Manager in Windows doesn’t handle maliciously crafted OpenType fonts properly, allowing an exploit that could have serious ramifications, so Microsoft recommends that this update be applied as quickly as possible.

This vulnerability is reportedly one that was leaked with the Hacking Team email breach, according to an article in ComputerWorld. This makes it a zero day vulnerability – one that was made public prior to the release of the patch. It’s also said to be a vulnerability that is relatively easy to exploit.

The vulnerability is present in all of the currently supported versions of the Windows client and server operating system: Windows Vista, Windows 7, 8, 8.1 and RT/RT 8.1, as well as Server 2003, 2008, 2008 R2, 2012 and 2012 R2, including the server core installations. The critical rating applies to all versions of the OS; unlike some vulnerabilities, the more restrictive defaults in Windows Server don’t protect you from it. This update also applies to the technical preview release version of Windows 10 that many users are already running as part of Microsoft’s preview program, and which is set to roll out to customers at the end of this month.

If this description is sounding vaguely familiar, it’s because MS15-077 (KB3077657), which was the last of a big slate of 14 patches that were released last week on Patch Tuesday, was described in exactly the same way. And in fact, this emergency patch came out because many Windows users, including a number of our readers here in the comments on this blog, were reporting problems in the wake of installing MS15-077.

These problems apparently stemmed from incompatibilities with WebEx tools, and the problem was discussed in the Microsoft Answers community forums, as well. Reports were that WebEx received many calls about the patch breaking the screen sharing feature, and the workaround that was suggested by the company, which involved changing the Windows personalization theme, wasn’t working for everybody.

Microsoft has released a workaround for those who might not be able to install this patch immediately or who might want to hold off in order to do testing to determine whether there are any conflicts or negative effects on existing functionality such as was experienced with MS15-077. The workaround involves renaming atmfd.dll x-atmfd.dll or, in Windows 8 and above operating systems, editing the registry to disable ATMFD (Adobe Type Manager Font Driver). The registry can be edited manually or you can use a managed deployment script to automate the registry edit process to make it easier to apply to multiple machines.

Regardless of the workaround method you use, disabling ATMFD will result in some applications not working properly (those that use OpenType fonts that have been installed by third party applications). You can find the instructions for renaming the atmfd.dll file at the command line (older versions of Windows) or editing the registry, along with instructions for undoing the registry edit and restoring the functionality of ATMFD, in the security bulletin that was issued for this patch. You can access it on the TechNet web site at https://technet.microsoft.com/library/security/MS15-078?f=255&MSPPError=-2147217396 . MS15-078 will be available through Windows Update and WSUS.