14 DAY TRIAL // Microsoft has officially acknowledged a remote code execution flaw affecting all Windows versions, confirming that it’s aware of limited attacks against its users.
Microsoft, however, suggested it wouldn’t release an out-of-band patch to resolve the vulnerability, despite the attacks happening in the wild, and instead would just wait for the next Patch Tuesday due in April to fix it.
The security flaw resides in Adobe Type Manager Library, which Windows uses for fonts. Windows 10, Windows 8.1, and even the unsupported Windows 7 are all vulnerable to attacks.
“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane,” Microsoft explains.
Next Patch Tuesday – April 14
So when is a patch coming? Not too soon, it seems, as Microsoft just wants to stick with its Patch Tuesday cycle to resolve the vulnerability.
“Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers,” the company says.
In the meantime, there are several workarounds that users can turn to in order to prevent their devices from being attacked, and you can find all of them detailed by Microsoft on the advisory page linked above.
The next Patch Tuesday takes place on April 14, when Microsoft will release security updates for all Windows version still receiving support – given Windows 7 is no longer supported, it wouldn’t receive a fix for this vulnerability.