Can you get hacked just by clicking on a malicious link or opening a website? — YES.
Microsoft has just released its April month’s Patch Tuesday security updates, which addresses multiple critical vulnerabilities in its Windows operating systems and other products, five of which could allow an attacker to hack your computer by just tricking you visit a website.
Microsoft has patched five critical vulnerabilities in Windows Graphics Component that reside due to improper handling of embedded fonts by the Windows font library and affects all versions of Windows operating systems to date, including Windows 10 / 8.1 / RT 8.1 / 7, Windows Server 2008 / 2012 / 2016.
An attacker can exploit these issues by tricking an unsuspecting user to open a malicious file or a specially crafted website with the malicious font, which if open in a web browser, would hand over control of the affected system to the attacker.
All these five vulnerabilities in Windows Microsoft Graphics were discovered and responsibly disclosed by Hossein Lotfi, a security researcher at Flexera Software.
Windows Microsoft Graphics is also affected by a denial of service vulnerability that could allow an attacker to cause a targeted system to stop responding. This flaw exists in the way Windows handles objects in memory.
Microsoft has also disclosed details of another critical RCE vulnerability (CVE-2018-1004), which exists in Windows VBScript Engine and affects all versions of Windows.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft explains.
“An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine.”
Besides this, Microsoft has also patched multiple remote code execution vulnerabilities in Microsoft Office and Microsoft Excel, which could allow attackers to take control of the targeted systems.
The security updates also include patches for six flaws in Adobe Flash Player, three of which were rated critical.
Rest CVE-listed flaws has been addressed in Windows, Microsoft Office, Internet Explorer, Microsoft Edge, ChakraCore, Malware Protection Engine, Microsoft Visual Studio, and the Microsoft Azure IoT SDK, along with bugs in Adobe Flash Player.
Users are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.
For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates.
- Microsoft June 2018 Patch Tuesday Pushes 11 Critical Security Updates
- Microsoft October Patch Tuesday Fixes 12 Critical Vulnerabilities
- Microsoft Patch Tuesday — February 2019 Update Fixes 77 Flaws
- Microsoft Releases Patches for 60 Flaws—Two Under Active Attack
- Microsoft Issues Software Updates for 17 Critical Vulnerabilities