Microsoft disclosed a new remote code execution vulnerability today that can be found in all supported versions of Windows and is currently being exploited in “limited targeted attacks” (via TechCrunch). If a hacker successfully pulled off an attack, they could theoretically remotely run code or malware on the victim’s device.
The flaw involves the Adobe Type Manager Library, which helps Windows render fonts. “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane,” according to Microsoft. The vulnerability has a severity level of “critical,” which is the company’s highest rating.
There isn’t currently a patch available to fix the flaw, though Microsoft’s advisory notes that updates to address security vulnerabilities are usually released as part of Update Tuesday, typically scheduled for the second Tuesday of every month. That means, in theory, the next Update Tuesday is scheduled for April 14th.
In a statement to The Verge, Microsoft reiterated its standard Update Tuesday policy, but the company did not give a specific date for when a patch might be issued.
Microsoft offers instructions for a few temporary workarounds in its advisory, such as disabling the Preview Pane and Details Pane in Windows Explorer.