Symantec is investigating reports that a zero-day vulnerability affecting Microsoft Windows TrueType Font (TTF) parsing is being exploited in a limited number of attacks. The Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability (CVE 2014-4148) is reportedly being exploited to gain remote access into an international organization.
The attack consisted of a document with a malicious TTF, which when viewed on a vulnerable computer would result in the execution of additional malware. The payload was a somewhat sophisticated remote access Trojan (RAT) that would run from memory. Symantec regards this vulnerability as critical since it affects all supported versions of the Windows OS and allows an attacker to execute code remotely on the compromised computer.
On October 14, 2014, Microsoft issued a security bulletin which provides a patch for the vulnerability. We recommend that all users apply the patch published in Microsoft Security Bulletin MS14-058.
Symantec will continue to investigate this vulnerability and provide more details as they become available.