Warning: Your Windows PC Can Get Hacked by Just Visiting a Site

Warning: Your Windows PC Can Get Hacked by Just Visiting a Site

Can you get hacked just by clicking on a malicious link or opening a website? — YES.

Microsoft has just released its April month's Patch Tuesday security updates, which addresses multiple critical vulnerabilities in its Windows operating systems and other products, five of which could allow an attacker to hack your computer by just tricking you visit a website.

Microsoft has patched five critical vulnerabilities in Windows Graphics Component that reside due to improper handling of embedded fonts by the Windows font library and affects all versions of Windows operating systems to date, including Windows 10 / 8.1 / RT 8.1 / 7, Windows Server 2008 / 2012 / 2016.


An attacker can exploit these issues by tricking an unsuspecting user to open a malicious file or a specially crafted website with the malicious font, which if open in a web browser, would hand over control of the affected system to the attacker.

All these five vulnerabilities in Windows Microsoft Graphics were discovered and responsibly disclosed by Hossein Lotfi, a security researcher at Flexera Software.
CVE-2018-1010
CVE-2018-1012
CVE-2018-1013
CVE-2018-1015
CVE-2018-1016Windows Microsoft Graphics is also affected by a denial of service vulnerability that could allow an attacker to cause a targeted system to stop responding. This flaw exists in the way Windows handles objects in memory.

Microsoft has also disclosed details of another critical RCE vulnerability (CVE-2018-1004), which exists in Windows VBScript Engine and affects all versions of Windows.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website," Microsoft explains."An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine."


Besides this, Microsoft has also patched multiple remote code execution vulnerabilities in Microsoft Office and Microsoft Excel, which could allow attackers to take control of the targeted systems.

The security updates also include patches for six flaws in Adobe Flash Player, three of which were rated critical.

Rest CVE-listed flaws has been addressed in Windows, Microsoft Office, Internet Explorer, Microsoft Edge, ChakraCore, Malware Protection Engine, Microsoft Visual Studio, and the Microsoft Azure IoT SDK, along with bugs in Adobe Flash Player.

Users are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates.

 

Is this still possible if connected through a secured VPN?

 

Yes it is still possible, the hack happened when visiting a vulnerable Site, no matter how you access this site.

 

But in order for a remote attacker to take control wouldn't they need a handle on your machine's local ip address through which to tunnel? I get that the exploit is local once your machine is compromised but unless it is actually installing something behind the scenes that calls back out to the attacker, it seems like there wouldn't be a valid ip path to communicate through to further establish the necessary footholds to maintain control over said machine since, for instance, my VPN allows tons of users to all browse under the same external ip. What I am not sure of if by loading the compromised fonts or whatever, is if it can bypass an otherwise secure cypher that was already established by a VPN.

 

I think this is the case,