It has been reported that Microsoft says attackers are exploiting a previously undisclosed security vulnerability found in all supported versions of Windows, including Windows 10 – the company said there is currently no patch for the vulnerability. The security flaw, which Microsoft deems “critical” is found in how Windows handles and renders fonts, according to the advisory posted Monday. The bug can be exploited by tricking a victim into opening a malicious document. Once the document is opened — or viewed in Windows Preview — an attacker can remotely run malware, such as ransomware, on a vulnerable device. The advisory said that Microsoft was aware of hackers launching “limited, targeted attacks,” but did not say who was launching the attacks or at what scale.
Microsoft’s security advisory highlights three important points. First, creating software is essentially a kind of manufacturing, where a finished product is assembled from software components, just as an airplane is assembled from thousands of individual parts. It is the responsibility of the manufacturer to keep track of those parts to make sure they are correct and safe. In this case, Microsoft is actually reporting on an Adobe component which contains vulnerabilities that affect Microsoft’s products.
Second, sometimes the bad guys find the vulnerabilities. When white hat researchers locate vulnerabilities, they engage in a coordinated disclosure so that a software vendor has a chance to patch their software before the vulnerability is disclosed. In this case, however, Microsoft appears to have found out about the vulnerability because it was already being exploited in the wild. This means that they have issued a security advisory, but they will have to hustle to get the patch ready as soon as possible.
Finally, you should never, ever, ever click on links in emails or open documents whose origin is uncertain. The attack that exploits this vulnerability depends on tricking users into opening specially crafted malicious documents. Every time you are tempted to click a link or open an attachment, take a moment and think about what you’re doing. When you decide it is OK, take another moment and think some more.