Microsoft Issues Lone Update For January Patch Tuesday Release
The update, which affects to some degree all versions of Microsoft Windows, could enable hackers to launch malicious attacks by creating a specially crafted Embedded OpenType font in certain word or Web applications such as Microsoft Internet Explorer, Office PowerPoint or Office Word.
Attacks could be sent via Word document attachment delivered over e-mail, usually through some social engineering scheme. Users could also be enticed to open a Web page containing malicious font designed to infect their PCs.
Once victims opened the malicious applications, attackers could infiltrate and take complete control their computer to steal data.
"What can happen is that these fonts are typically used on a Web site. There's a vulnerability inside of there so you can make a specially crafted site that houses an evil font," said Jason Miller, data and security team leader for Shavlik Technologies.
So far, there are no known attacks in the wild exploiting the vulnerability. However, the patch is labeled critical only for Windows 2000, but ranked as a low priority for Windows XP, Server 2003, Vista, Server 2008 and Windows 78 and Server 2008 R2.
The vulnerability doesn't exactly have security experts worried.
"It's not too terribly critical," Miller said. "A lot of end users should not be using Windows 2000 anyway."
Miller added that the urgency of applying a patch would likely depend on the user's network infrastructure. If the user's infrastructure is older -- relying on Windows 2000 -- users will want to install the patch sooner than later.
"It's not absolutely urgent. IT goes back to what's on your network," Miller said. "I could probably lax a little bit on this. But definitely don't forget about it. You're going to have to patch it at some point."
Miller said that Microsoft's January patch loads are typically light, in part due to a lag that is created over the holidays. That lag will come to an end next month as researchers and coders start firing up again and tackling a long list of vulnerabilities they postponed over the holidays, he added.