Microsoft warns users of unpatched Windows security flaw

24 Mar 2020

Image: © wachiwit/Stock.adobe.com

While Microsoft develops a patch for the ‘critical’ vulnerability, it has advised users to run a workaround to avoid any targeted attacks.

On Monday (23 March), Microsoft shared a security advisory warning users of a newly discovered bug that remains unpatched.

The company said that it is aware of targeted attacks on vulnerabilities in the Adobe Type Manager Library. Microsoft said that this vulnerability was found in all supported versions of Windows including the latest version, Windows 10.

The company rated the security flaw as critical, which is the company’s highest rating of severity. The company is currently working on a patch to solve the issue.

The vulnerabilities

Microsoft said that there are two remote code execution vulnerabilities in Windows that present when Windows Adobe Type Manager Library improperly handles a specially crafted multi-master font.

The company said: “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

Microsoft also said it is aware of “limited, targeted attacks that attempt to leverage this vulnerability”, meaning that attackers were also aware of the flaw at the time of the advisory warning’s publication.

The company did not give a date for when a patch may be released, but said updates that address security vulnerability in Microsoft are typically released on its ‘Update Tuesday’. This occurs on the second Tuesday of each month, meaning the next update would not be until April.

“This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers,” Microsoft added.

The company also released a list of workarounds and guidance on how to reduce the risk of attack.

While Windows 7 is one of the operating systems that is affected by the vulnerability, users will not receive security updates unless they have an enterprise security support extension, as Microsoft ended support for the operating system in January.

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com