Hackers are exploiting a pair of previously unknown vulnerabilities in Windows that can be used to create booby-trapped documents that can help take over your computer, according to Microsoft.
On Monday, Microsoft said it's “aware of limited targeted attacks” abusing the two flaws — both of which remain unpatched. Operating systems including Windows 10, Windows 8.1 and Windows 7, along with various Windows Server versions, are all affected.
The company is refraining from disclosing details about the attacks, and how prolific they’ve been. But in a security advisory Microsoft said: “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”
The two vulnerabilities deal with the Windows Adobe Type Manager Library, which is used to parse and properly display Adobe-based fonts on a computer. According to Microsoft, the library will mishandle a specially crafted multi-master font known as Adobe Type 1 PostScript format. The error can trigger what's known as code execution, which a hacker can abuse to manipulate a PC to download and install additional malware.
Microsoft is still working on a patch, which probably won’t arrive until April 14. In the meantime, the company has come up with temporary solutions to mitigate the attack. They include disabling the Preview Pane and Details Pane in Windows Explorer. Another safeguard is renaming the Adobe Type Manager Font Driver file “ATMFD.dll.”
You can check out the advisory for the exact steps. Microsoft also notes the Outlook Preview pane remains immune to the vulnerabilities. To stay safe, we recommend not opening attachments in emails from untrusted senders.
The bad news is that Microsoft isn’t releasing a patch for consumers on Windows 7, which the company ended support for in January. Only Windows 7 enterprise users who purchased Extended Security Updates will receive a fix.
Why Everyone Wants Windows 10
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
