Microsoft has revealed that there is an unpatched flaw in all supported versions of Windows that is currently being exploited in the wild.
The ADV200006 Type 1 Font Parsing Remote Code Execution Vulnerability involves vulnerabilities in the Adobe Type Manager Library, and Microsoft is aware of limited targeted attacks against the bug.
Two vulnerabilities actually exist in how the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format, and the vulnerabilities can be exploited by convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.
Windows 7, 8.1 and all supported versions of Windows 10 are affected, though Microsoft says they will not be releasing a patch for regular Windows 7 users, but only those with Extended Support contracts.
In their FAQ they write:
Do I need an ESU license to receive the update for Windows 7, Windows Server 2008 and Windows Server 2008 R2 for this vulnerability?
Yes, to receive the security update for this vulnerability for Windows 7, Windows Server 2008, or Windows Server 2008 R2 you must have an ESU licence. See 4522133 for more information.
Why is this update not being released for all Windows 7 customers?
Windows 7 reached end of support on January 14, 2020. For more information on Microsoft lifecycle policies, please visit Life Cycle.
Microsoft is developing a patch and will likely release it in the next Patch Tuesday. Workarounds however exist, which can be seen at Microsoft here.Swipe to read more stories and follow us on Twitter or like us on Facebook Open Comments More Articles from MSPU