Microsoft warns Windows users about Windows 7 based attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library. Microsoft has published an advisory to help reduce customer risk until the security update is released because Microsoft is still working on a fix. The company advises its industry partners to comply with a 7-day timeline for disclosing information regarding these limited attacks.
Critical security flaw
The security flaw was rated as critical. There is still no patch for the bug. Microsoft offered a temporary workaround for affected Windows users to mitigate the flaw until a fix is available. Microsoft explained:
“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format,”
An attacker can convince a user to open a specially crafted document or can view it in the Windows Preview pane. These are only some of the multiple ways that an attacker could exploit the vulnerability.
Microsoft underlined that they are aware of this vulnerability and they remind the user that the company releases updates that address security vulnerabilities in Microsoft software on the second Tuesday of each month.
It is noted in the advisory that the threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015. They published the list of the operating system versions that are affected by this vulnerability.