Microsoft warns that attackers are targeting two zero-day remote code execution vulnerabilities that exist in all versions of Windows – and a fix is not expected until the April patch Tuesday.
The vulnerabilities exist in the Adobe Type Manager library which is a standard Windows component used primarily by Windows Explorer to display previews of document contents in the ‘Preview’ and ‘Details’ pane. This means the exploit can be triggered by simply previewing a document – without actually opening it.
The risk for Windows 7 and Server 2008 and 2012 are more serious with the severity rated as Critical by Microsoft. While on supported Window 10 family systems and servers the vulnerabilities are rated as Important as they are harder to exploit due to architectural differences between the code families.
Microsoft has published a detailed Security Advisory describing mitigating steps that can be taken – especially important for any systems still running Windows 7 that will not receive a patch for this vulnerability.
There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.