Microsoft has released patches for three critical vulnerabilities in Windows that have been actively exploited for several weeks. The fixes came as part of the April Patch Tuesday security updates, which also included patches for more than a dozen other critical vulnerabilities.
On March 23 Microsoft warned that attackers were using two previously unknown vulnerabilities in the Windows Adobe Type Manager library in targeted attacks. The attacks specifically targeted systems running Windows 7, as older versions of Windows were more at-risk from these flaws than newer releases. Windows 10 systems have a very small risk of remote code execution attacks against those vulnerabilities, Microsoft said.
“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane,” the Microsoft advisory says.
The risk of exploitation for Windows 10 systems is lower because of the way that the exploit would work.
“For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said.
The third vulnerability patched Tuesday that was known to have been exploited was a privilege escalation flaw in the Windows kernel. That bug would be of interest to an attacker who already has a foothold on a target system.
“An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application,” the advisory says.
With known exploits in the wild, deploying the patches for these vulnerabilities should be a top priority for enterprises that are running Windows 7 and other older versions in their environments. There is also a detailed analysis of the Adobe Type Manager library vulnerabilities published by the Chinese research team Tencent on Tuesday. That report includes a step-by-step breakdown of the bugs.