On Monday, Microsoft apprised customers that the company is working on fixes for two Windows zero-day flaws that can be abused for remote code execution.

The software giant said that the flaws exist because of the way a “specially-crafted multi-master font – Adobe Type 1 PostScript format” is handled by the Windows Adobe Type Manager library.

Adobe said that the affected library is solely supported by Microsoft and Adobe product users are not vulnerable.

The faults can be exploited by a hacker by persuading the targeted user to open a particularly created document or seeing it in the Windows Preview pane, which has been termed as an attack vector for these flaws.

The tech giant says it’s aware of “limited, targeted attacks” seeking to take advantage of these flaws.

The security breaks affect Windows 10, 7, 8.1, Server 2008, Server 2012, Server 2016, Server 2019, and Server. Microsoft will craft a fix for Windows 7, which reached end of life in January, but it will only be made available to users with an Extended Security Update (ESU) license.

Microsoft has said that fixes will only become available next month, when the company issues its April 2020 updates. Meanwhile, users have been given workarounds for avoiding exploitation of the flaws. The company also highlighted that the affect is limited in the case of Windows 10.

“For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities,” Microsoft explained in an advisory.

Leave a Reply

Your email address will not be published. Required fields are marked *