Microsoft has warned attackers are actively exploiting an unpatched Windows zero-day vulnerability on fully updated devices. The vulnerability impacts devices running Windows 7, 8.1, and Windows 10. "Microsoft has become aware of limited targeted Windows 7 based attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library," the company said in an advisory.
Microsoft said that the two remote code execution "vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format." Adobe Type Manager Library, which is at the center of this issue, is a system file used to manage and render fonts by Adobe.
Attackers can exploit this vulnerability through multiple ways, including convincing users to open specially crafted documents or viewing them in the Windows Preview pane.
The Windows maker added that it is working on a fix. It appears, however, that the company isn't aiming for an early release of the fix. In its advisory, Microsoft mentioned how releasing security fixes every second Tuesday of the month ensures partner quality assurance and IT planning, "which helps maintain the Windows ecosystem as a reliable, secure choice for our customers."
Microsoft says "threat is low" for Windows 10
While Microsoft has categorized the "Type 1 Font Parsing Remote Code Execution Vulnerability" as critical, it has also added a note in the advisory that the threat is low for systems running Windows 10 "due to mitigations that were put in place with the first version released in 2015."
The Windows maker has also added that the company isn't aware of any attacks against Windows 10." The possibility of remote code execution is negligible and elevation of privilege is not possible," Microsoft said. "For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities," the advisory added.
"We do not recommend that IT administrators running Windows 10 implement the workarounds described below."
The workarounds include disabling the Preview Pane and Details Pane in Windows Explorer and the WebClient service, among others. IT administrators are recommended to check out this advisory for workarounds.
Following versions of Windows 7, 8.1 and Windows 10 are impacted
- Windows 10 for 32-bit Systems and x64-based Systems
- Windows 10 Version 1607 for 32-bit Systems and x64-based Systems
- Windows 10 Version 1709 for 32-bit Systems, ARM64-based Systems, and x64-based Systems
- Windows 10 Version 1803 for 32-bit Systems, ARM64-based Systems, and x64-based Systems
- Windows 10 Version 1809 for 32-bit Systems, ARM64-based Systems, and x64-based Systems
- Windows 10 Version 1903 for 32-bit Systems, ARM64-based Systems, and x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems, ARM64-based Systems, and x64-based Systems
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows 8.1 for 32-bit systems and x64-based systems
- Windows RT 8.1
- Windows Server 2008 for 32-bit Systems Service Pack 2 and Server Core installation
- Windows Server 2008 for Itanium-Based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2 and Server Core installation
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 and Server Core installation
- Windows Server 2012 and Server Core installation
- Windows Server 2012 R2 and Server Core installation
- Windows Server 2016 and Server Core installation
- Windows Server 2019 and Server Core installation
As an increasing number of people have been pushed to work from home, the possibility of attacks has also increased. Until Microsoft issues a fix, it is strongly advised not to download or open unknown documents or take additional steps to verify the source. It is unlikely that the company will deliver a fix for unsupported operating systems like Windows 7. However, given the current health situation, Microsoft did say it is putting optional Windows 10 updates on a pause to focus more on security. We will update this space as soon as the patches go live.