ALERT: Critical vulnerability affecting Microsoft Windows operating systems (MS15-078)

Monday, July 20, 2015

This information was sent to U-M IT staff groups on July 20, 2015.

This message is intended for U-M IT staff who are responsible for university machines running Microsoft Windows operating systems.

Summary: 

An update has been released to address a critical vulnerability in all supported releases of Microsoft Windows operating systems. IIA and Microsoft recommend installing this update as soon as possible after required testing.

Problem: 

The vulnerability could allow remote code execution if a person opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.

Affected Systems: 

All supported releases of Microsoft Windows operating systems.

  • Note for Microsoft Windows Server 2003: This operating system is no longer supported by Microsoft and no patch has been released for these systems. IIA reminds you to remove machines running Windows Server 2003 from the network. See Upgrade Windows Server 2003 Before July 2015 for more.
Action Items: 

Update machines using Microsoft Windows as soon as possible after required testing. See the Microsoft Security Bulletin in the references below for workarounds if you are unable to update.

Technical Details: 

A remote code execution vulnerability, CVE-2015-2426, exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. Successful exploitation of this vulnerability could allow an attacker to take complete control of the affected system. There are multiple ways an attacker could exploit this vulnerability. According to Microsoft, the vulnerability was public before this update, and reliable exploitation of this vulnerability is possible.

Information for Users: 

MiWorkspace machines will be patched as soon as possible. If you have Microsoft Windows devices that are not managed by the university, please update using Windows Update. If automatic updates are enabled for your device, it will be updated automatically.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.