According to this article on ThreatPost, Microsoft has released an out-of-band patch to resolve an issue that could allow a remote attacker to gain full access to a vulnerable system by tricking the user into opening a malicious document or visit an infected website. I do not (yet) have confirmation, but no additional user interaction seems to be required (i.e., if you visit an infected site, it won’t prompt you). Some important notes:
- Allows a remote attacker to consistently exploit the vulnerable system.
- Affects all support versions of Windows.
- Windows Server 2003 is not being updated. Support for Windows Server 2003 died last Tuesday and Microsoft is making it clear that there will be no more support.
- For those keeping score at home, this is not CVE-2015-2387 (a vulnerability in the Adobe Font Driver that was patched last week).
- We have not seen publicly available exploit code for this yet (the time on the ThreatPost article was 3:04pm EDT) but I suspect that that will change very soon.
All users with Microsoft Windows are encouraged to install the update now. We are in the process now of updating all MyIT Bronze, Silver and Gold clients but all hosts (including servers) will have to be rebooted for the patch to be installed.