What you need to know
- Microsoft disclosed a "critical" new Windows flaw today.
- The vulnerability affects all supported versions of Windows.
- Hackers are actively exploiting the unpatched flaw in "limited, targeted attacks," Microsoft says.
Microsoft today posted a security advisory disclosing a new, unpatched vulnerability in Windows. The flaw is rated as "critical" in severity, and it affects all supported versions of Windows. Microsoft says it is working on a fix, but there's currently no patch available (via TechCrunch).
"Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format," Microsoft said in its security guidance. "There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane."
Microsoft says that it is aware of "limited, targeted attacks" that attempt to use the vulnerability. As for when a patch may be available, Microsoft simply says that patches "address security vulnerabilities in Microsoft software are typically released on Update Tuesday." That would put a date for a potential patch at April 14.
In an accompanying FAQ, Microsoft clarifies that the Windows Explorer Preview Pane is an attack vector for this vulnerability, but the Outlook Preview Pane is not. The company also clarifies that Windows 7 machines will only be patched for those with an extended security update license. Windows 7 reached end-of-support on January 14.
We may earn a commission for purchases using our links. Learn more.