Microsoft on Monday issued an emergency fix for all supported versions of its Windows operating system, plugging a hole that essentially allowed hackers unfettered access to victims’ computers.
The “critical” vulnerability, denoting Microsoft’s highest level of threat, would have allowed hackers to take “complete control of the affected system,” the company wrote in an online security bulletin posted Monday. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The flaw affects all users of Windows Vista, Windows 7, Windows 8 and 8.1 and Windows RT, representing two out of every three of the 1.5 billion PCs running Windows around the world. Microsoft decided not to wait until its regularly scheduled monthly security update, known as “Patch Tuesday,” to issue a fix. The company last issued an emergency patch like this in November 2014.
Microsoft said a hacker could attack unsuspecting Windows users by convincing them to open a specially crafted document or visit a compromised Web page because the vulnerability affected OpenType, a widely used format for computer fonts co-developed by Microsoft and Adobe.
Computer security researchers found the flaw by looking over a collection of emails leaked online after cyberattackers breached the systems of Italian surveillance firm Hacking Team earlier this month. Microsoft credited security company FireEye’s Genwei Jiang and Mateusz Jurczyk, part of Google’s Project Zero security squad, for finding the flaw and reporting it.
The emergency fix comes at a sensitive time for Microsoft, which is just a week away from releasing the next big overhaul of its operating system, called Windows 10. Microsoft has touted the software upgrade as more secure than past versions of Windows. That’s thanks to new technology such as Device Guard, a software tool aimed at preventing the sort of attack today’s patch aims to avert, and Windows Hello, a new biometric security system that lets users add face, iris or fingerprint recognition to their computer for an added layer of protection.
Despite that, the security flaw patched today was found in even the latest test version of Windows 10, widely considered to be the final iteration of the software that will go out to the public and to device manufacturers.
Windows 10 will be available as a free upgrade for all Windows 7 and Windows 8.1 users on Wednesday, July 29.
Microsoft says a majority of Windows users have automatic updating enabled and will not need to make any extra effort to protect their machines. People who have have automatic updating turned off should download the patch from Microsoft’s security bulletin page.
The company says it has no evidence the flaw had been used to attack Windows, but confirmed such an attack could be exploited “consistently.”