Security Update for Graphic Fonts to Address Remote Code Execution (MS16-026)

ITS Advisory Number: 
Date(s) Issued: 
Tuesday, March 8, 2016
Security Update for Graphic Fonts to Address Remote Code Execution (MS16-026)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker either convinces a user to open a specially crafted document, or to visit a webpage that contains specially crafted embedded OpenType fonts.  The security update addresses the vulnerabilities by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.


Systems Affected: 
  • Microsoft Windows Server 2008, Server 2008 R2
  • Microsoft Windows Server 2012, Server 2012 R2
  • Microsoft Windows Vista SP2
  • Microsoft Windows 7
  • Microsoft Windows 8 and 8.1
  • Microsoft Windows 10
  • Microsoft Windows Server 2012 and Server 2012 R2
  • Windows RT and Windows RT 8.1
  • Microsoft Office 2007
  • Microsoft Office 2010
  • Skype for Business 2016

  • Microsoft Lync 2013

  • Microsoft Lync 2010

Large and medium government entities: 
Small government entities: 
Large and medium business entities: 
Small business entities: 
Home Users: 

A security feature bypass vulnerability exists in the way that the Windows graphics device interface handles objects in memory, allowing an attacker to retrieve information that could lead to an Address Space Layout Randomization (ASLR) bypass.  To exploit this vulnerability, in a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince users to view the website. This could also include compromised websites or websites that accept or host user-provided content or banner advertisements; such websites could contain specially crafted content that is designed to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to do so, typically by getting them to click a link in an email or Instant Messenger request.

A denial of service vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts.. The vulnerabilities are as follows:

  • OpenType Font Parsing Vulnerability: [CVE-2016-0120, CVE-2016-0121]

  • After appropriate testing, apply appropriate patches provided by Microsoft to vulnerable systems.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.