Microsoft has officially published an advisory to warn users that hackers are trying to exploit an unpatched vulnerability found in almost all versions of Windows. The critical vulnerability has a high severity rating and is identified in the way MS Windows manages and renders fonts.
The advisory explains that there are two remote code execution flaws currently existing in MS Windows. It is mainly linked to the Adobe Type Manager Library, and is caused by improper handling of the multimaster font known as Adobe Type 1 PostScript format.
See: 250 million Microsoft customer support records leaked in plain text
According to Microsoft, the vulnerability can be exploited by tricking a user into opening an infected document; as soon as the document is opened or displayed via Windows Preview the attacker can remotely launch any type of malware even ransomware.
This exploit also works on Windows 10 and the Windows Preview pane can be used as an attack vector to exploit these flaws.
The software giant warned that hackers are already launching targeted attacks against Windows systems, but at the moment the frequency is low and scope seems to be limited. The company is already working on the patch, which is most likely to be released on April 14 and only enterprise users having extended security support will be provided with the patches.
While explaining the potential effects of the attack on Windows, Microsoft wrote in its security advisory that,
For systems running supported versions of Windows 10, a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.
Until the patches are released, Microsoft has come up with several workarounds for enterprises. The company says that to prevent the automatic display of the font in Windows Explorer, admins should disable the Details and Preview panes in their browser to prevent infected files from being viewed.
See: Hackers exploiting critical flaw in Microsoft Exchange server
Another strategy is to disable the WebClient service altogether, which will block the remote attack vector through the WebDAV (Web Distributed Authoring and Versioning) client service.