Microsoft will patch a pair of zero-day Windows vulnerabilities later today that attackers have been exploiting to penetrate major corporations' networks, researchers at FireEye said Tuesday.
The flaws found by FireEye were different than another discovered by iSight Partners, which today revealed an ongoing campaign by Russian hackers against the Ukrainian government and targets in the U.S.
Microsoft will also patch the iSight-found flaw today.
According to FireEye, the more dangerous of the two vulnerabilities it discovered was a bug in the TrueType Font subsystem, was classified as a "remote code execution" flaw and will be patched by Microsoft with a fix applied to the Windows kernel.
The TrueType font parsing engine has been exploited in the past: The Duqu malware of 2011, which some experts said was written by the same hackers who created the notorious Stuxnet worm, took advantage of flaws in TrueType section of the Windows kernel.
FireEye spotted the vulnerability when it analyzed attacks using malformed Office documents containing malicious fonts. While the vulnerability exists in both 32- and 64-bit versions of Windows — going as far back as Windows XP, and also affecting the dominant Windows 7 and the newest Windows 8.1 — FireEye has only seen attacks aimed at the 32-bit versions.
A successful exploit compromises the PC and plants a custom-made remote access tool that the hackers use to snoop through the PC and extract any worthwhile information it finds. The tool is sophisticated, said FireEye: It is never written to disk, but is loaded into memory instead, making it harder for security software to find it.
FireEye's second find was an "escalation of privilege" (EOP) vulnerability, which alone does not give attackers access to a victimized PC. EOP bugs are typically used in tandem with other flaws to hijack a system.
Windows 8 and later are immune to exploits of the EOP vulnerability.
FireEye said there was no evidence that the two bugs had been exploited together, but had found each leveraged in separate and unrelated attacks.
Microsoft will patch both flaws today in MS14-058, one of nine security updates it plans to deliver around 10 a.m. PT (1 p.m. ET). The most likely candidate for MS14-058 was what Microsoft dubbed "Bulletin 3" in last week's advance notification of today's Patch Tuesday.
Sign up for Computerworld eNewsletters.