Microsoft said on Monday that it has discovered a flaw in Windows 10 and other versions of the operating system that has already resulted in “limited targeted attacks.” There is as of yet no patch for the vulnerability, though Microsoft ranks it as a “critical” flaw.
Per TechCrunch, Microsoft’s security team said a bug in its Adobe Type Manager Library (atmfd.dll), which handles rendering of some fonts, allows attackers to remotely execute malicious code by tricking a user into opening or previewing a malware-infected document. The company did not disclose who it believes is already exploiting the vulnerability in the wild, the nature of the attacks it has detected so far, or where they occurred.
Despite the title of the DLL, the bug is Microsoft’s responsibility, not Adobe’s. As Ars Technica noted, security systems built into Windows often interfere with exploits working as well in the field than they do on paper, though “limited targeted attacks” is often used as shorthand for the handiwork of state-backed hackers.
“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format,” Microsoft wrote in the advisory. “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”
Microsoft added in the advisory that it was working on a patch and that updates are usually released on the second Tuesday of a month (the next of which would be April 14).
In the meantime, Microsoft recommended a number of steps to mitigate the vulnerability. Users can disable preview and details panes in Windows Explorer, disable the WebClient service, or rename a DLL file found in versions prior to Windows 10 1709. As always, don’t download or open suspicious documents from untrusted sources.