Microsoft has acknowledged new zero-day vulnerabilities in all versions of Windows that are already being explored by attackers. The two remote code execution vulnerabilities have been found in the Adobe Type Manager Library, which is being used to display the Adobe Type 1 PostScript format in Windows.
“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane,” the company explained. While there’s no fix yet for Windows 10, Windows 8.1, and Windows 7, the company explains that “for systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.
Microsoft is already working on a fix that should be available on next month’s Patch Tuesday. In the meantime, users can protect themselves by disabling the Preview Pane and Details Pane in Windows Explorer as well as the Webclient service. We invite you to check out Microsoft’s Security Advisory for more details about these mitigations.