Microsoft has released an alert warning of targeted attacks actively exploiting two zero-day remote code execution (RCE) vulnerabilities affecting the Windows Adobe Type Manager Library. The flaws impact all supported versions of Windows, as well as Windows 7, which reached end of life in January this year.
“Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released”, the tech giant says.
According to Microsoft, the two RCE-flaws exist due to a way the Windows Adobe Type Manager Library handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. The vulnerabilities could be exploited by tricking a user into opening a specially crafted document, or viewing it in the Windows Preview pane.
Rated as ‘Critical’, the vulnerabilities affect devices running desktop and server Windows versions, including Windows 10, Windows 8.1, Windows 7, and multiple versions of Windows Server.
“For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities,” the company says.
Currently, Microsoft is working on a patch to address the issues. As the company noted, updates to address security vulnerabilities are usually released as part of Update Tuesday, typically scheduled for the second Tuesday of every month. This means, in theory, the next monthly batch of security updates is scheduled for April 14th.
Meanwhile, the Redmond company provided a temporary workaround to reduce the risk of attacks exploiting the above mentioned flaws. The company recommends to disable the Preview Pane and Details Pane in Windows Explorer to prevent the automatic display of OTF fonts.