Security News > 2020 > March > Windows users under attack via two new RCE zero-days

Attackers are exploiting two new zero-days in the Windows Adobe Type Manager Library to achieve remote code execution on targeted Windows systems, Microsoft warns.

"There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane," the company shared, and said that the Outlook Preview Pane is not an attack vector for this vulnerability.

"For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities," Microsoft added.

The company did not offer more details about the attacks nor did it say when the security updates will be released, but has noted that to receive them for Windows 7, Windows Server 2008, or Windows Server 2008 R2 users will have to have an Extended Security Updates license.

Microsoft has updated the advisory to say that "The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015," and that they are not aware of any attacks against the Windows 10 platform.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/QTN1eeBVEqg/