In brief: A previously undisclosed and yet to be patched critical security vulnerability is being exploited in the wild, affecting all recent versions of Windows (7/8/10) and Windows Server. Microsoft is working on a fix, but until then, it’s probably best to heed Microsoft’s workarounds to mitigate chances of exploitation.
Microsoft posted a new security advisory today (ADV200006), detailing what it’s calling “Type 1 Font Parsing Remote Code Execution Vulnerability.” They have given the vulnerability a “critical” severity rating, which is the highest severity rating Microsoft gives.
The flaw seems to stem from the Adobe Type Manager Library and deals with how Windows handles fonts. “Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format,” says Microsoft.
Microsoft states there are multiple ways to leverage the flaw. One way is through tricking users into opening a especially crafted and malicious document. In fact, the document doesn’t even need to opened properly; simply viewing it in the preview pane will apparently work just the same. Once opened or previewed, an attacker gains the ability for remote code execution.
Currently, there are “limited targeted attacks” that Microsoft is aware of. The company is already working on a fix, but in the meantime you can mitigate the flaw. Microsoft recommends disabling the preview pane and disabling the WebClient service. Check out the security advisory for instructions for specific Windows versions.
Patches are typically released on Patch Tuesday (the second Tuesday of the month), but Microsoft does release emergency patches outside of that schedule for critical flaws. This could be one of those cases.