Microsoft warned billions of Windows users that hackers are actively exploiting two critical zero-day vulnerabilities that could allow bad actors to take complete control of targeted computers. According to a security advisory, the vulnerabilities are being used in "limited targeted attacks," and all supported Windows operating systems could be at risk.
The flaws exist in the Windows Adobe Type Manager Library, which allows apps to manage and render fonts available from Adobe Systems. Attackers may exploit the vulnerabilities by getting their targets to open booby-trapped documents or view them in the Windows preview pane.
Microsoft is still working to fix the vulnerabilities. The earliest it will issue a patch is likely April 14th. Microsoft typically releases security updates on Update Tuesday, the second Tuesday of each month. In the meantime, there are a few workarounds, including disabling the preview pane and details pane in Windows Explorer. Microsoft has detailed the steps users should take here.
Please Note: The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015.
Please see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.
The affected versions of Windows include 32-bit and 64-bit versions of Windows 10 (1607, 1709, 1803, 1809, 1903, 1909), Windows 8.1, Windows 7, and Windows Servers 2008, 2012, 2016 and 2019, including Server Core installations.
Importantly, Windows 7 users whose installations lack an Extended Security Updates (ESU) agreement won’t receive patches for these flaws (Windows 7 reached end of life on 14 January 2020).
Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.
Until then, the only countermeasure is to use one of the recommended workarounds, which involves disabling Explorer’s preview and details pane.
Per the Microsoft advisory, the threat to Windows 10 is low:
Please Note: The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015. Please see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.
