Microsoft has confirmed there are some new zero-day vulnerabilities affecting all versions of Windows that have been exploited by attackers.
According to Microsoft’s official Security Advisory, there are two remote execution vulnerabilities. These flaws are found in the Adobe Type Manager Library, which displays Adobe Type-1 PostScript in Windows.
“Microsoft has become aware of limited targeted Windows 7 based attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library and is providing the following guidance to help reduce customer risk until the security update is released. We appreciate the efforts of our industry partners and are complying with a 7-day timeline for disclosing information regarding these limited attacks.
“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.”
Exploit
Microsoft says a bad actor can exploit the vulnerability through several methods. For example, tricking a victim through a document crafted to look legitimate.
“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane,” the company explained.
While the problem originates in Windows 7, it could also affect Windows 8.1 and Windows 10. Microsoft says people running Windows 10 face a low risk because of mitigations introduced when it launched.
“For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.”