Microsoft Corp. today revealed that hackers are exploiting two previously unknown vulnerabilities that are found in all supported versions of Windows and that a patch is not yet unavailable.

The remote code execution vulnerabilities are found in the Adobe Type Manager Library (atmfd.dll) that is used by Windows to render PostScript Type 1 fonts inside of Windows. An attacker can exploit the vulnerabilities in multiple ways, such as persuading a user to open a specially crafted document or viewing it in the Windows Preview pane.

Exactly how wide-ranging the attacks are is not precisely known. Microsoft said only that it’s aware of “limited targeted attacks.” While no help currently, Microsoft did note that it’s working on a fix and that it may be available as part of its monthly Patch Tuesday security release. The next Patch Tuesday is scheduled for April 14.

Microsoft recommended several mitigations Windows users can take, including disabling the Preview Pane and Details Pane in Windows Explorer, disabling the WebClient service and renaming atmfd.dll.

“First, creating software is essentially a kind of manufacturing, where a finished product is assembled from software components, just as an airplane is assembled from thousands of individual parts,” Jonathan Knudsen, senior security strategist at electronic design automation company Synopsys Inc., told SiliconANGLE. “It is the responsibility of the manufacturer to keep track of those parts to make sure they are correct and safe. In this case, Microsoft is actually reporting on an Adobe component which contains vulnerabilities that affect Microsoft’s products.”

Second, he said, sometimes the bad guys simply find the vulnerabilities. “When white-hat researchers locate vulnerabilities, they engage in a coordinated disclosure so that a software vendor has a chance to patch their software before the vulnerability is disclosed,” Knudsen explained. “In this case, however, Microsoft appears to have found out about the vulnerability because it was already being exploited in the wild. This means that they have issued a security advisory, but they will have to hustle to get the patch ready as soon as possible.”

Knudsen’s advice: “You should never, ever, ever click on links in emails or open documents whose origin is uncertain. The attack that exploits this vulnerability depends on tricking users into opening specially crafted malicious documents.”

Image: Wallpaperflare