Microsoft has warned that some hackers are undertaking targeted attacks using an unpatched vulnerability in the Windows 10 operating system.
The vulnerability is found in the Adobe Type Manager Library, and affects all supported versions of Windows 10, as well as Windows 7 and Windows Server. Microsoft said that it is “aware of this vulnerability and working on a fix”.
The vulnerability is of particular concern given the numbers of people working from home due to the coronavirus crisis, who will have less access to tech support and need to make more decisions about their computer’s cybersecurity than would usually be the case.
If exploited by a hacker, the vulnerability could be used to get users to open documents that contain malware, potentially allowing it to be used as a gateway for severe attacks.
Microsoft will “have to hustle” to fix unpatched Windows 10 vulnerability
The disclosure of the unpatched Windows 10 vulnerability by Microsoft highlights the fact that software created by other companies can introduce vulnerabilities into operating systems.
“Creating software is essentially a kind of manufacturing, where a finished product is assembled from software components, just as an airplane is assembled from thousands of individual parts. It is the responsibility of the manufacturer to keep track of those parts to make sure they are correct and safe,” said Jonathan Knudsen, senior security strategist at Synopsys.
“In this case, Microsoft is actually reporting on an Adobe component which contains vulnerabilities that affect Microsoft’s products.”
It also highlights that vulnerabilities can sometimes only be found because they have been exploited.
“Sometimes the bad guys find the vulnerabilities. When white hat researchers locate vulnerabilities, they engage in a coordinated disclosure so that a software vendor has a chance to patch their software before the vulnerability is disclosed,” said Knudsen.
“In this case, however, Microsoft appears to have found out about the vulnerability because it was already being exploited in the wild. This means that they have issued a security advisory, but they will have to hustle to get the patch ready as soon as possible.”
Advice for users
For those worried about vulnerabilities, particularly those working from home, the advice is to exercise caution.
“You should never, ever, ever click on links in emails or open documents whose origin is uncertain. The attack that exploits this vulnerability depends on tricking users into opening specially crafted malicious documents,” explained Knudsen.
“Every time you are tempted to click a link or open an attachment, take a moment and think about what you’re doing. When you decide it is ok, take another moment and think some more.”
Users should also install updates as soon as they are made available by Microsoft. The technology giant has said indicated that a patch may be included in the next Patch Tuesday, which occurs on the second Tuesday of each month.