Microsoft has acknowledged a critical remote code execution (RCE) flaw in Windows 10, Windows 7, Windows 8.1, and their server variants. The issue resides in the way the OS handles the Adobe Type Manager Library and has seen “limited” exploitation in the wild.
To utilize the bug, an attacker has multiple avenues. However, one option is the crafting of a specially crafted document that would then use the flaw to execute code when opened or viewed in the preview pane.
Thankfully, those running the latest version of Windows 10 should be well-protected by the OS' in-built security. Microsoft says “a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities”.
Despite this, the flaw is still marked as critical on 1909, the OS' latest update. To mitigate the risk on other OSes, users can disable the preview and details panes in Windows Explorer, disable the WebClient service, and rename ATMFD.DLL if it's present on your system.
These mitigations could prove vital, as Microsoft has noted no plans to roll out an emergency update to fix this vulnerability.
“Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month,” said the company. “This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.”
The next patch Tuesday isn't due until April 14, so users will be vulnerable for several weeks. Either way, those on Windows 7 won't be receiving an official mitigation, owing to the fact it's now out of support.