Microsoft warns of Windows zero-day exploited in the wild

UPDATED: Hackers are exploiting a zero-day in the Adobe Type Manager Library (atmfd.dll) that ships with the Windows OS.
Written by Catalin Cimpanu, Contributor
Microsoft Windows logo

Hackers are exploiting a zero-day vulnerability in the Windows 7 OS to take over systems, Microsoft said in a security alert today.

The zero-day is located in the Adobe Type Manager Library (atmfd.dll), a library that Microsoft uses to render PostScript Type 1 fonts inside multiple versions of the Windows OS.

Microsoft says there are two remote code execution (RCE) vulnerabilities in this built-in library that allow attackers to run code on a user's system and take actions on their behalf.

"There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane," the company said.

The company described the current attacks exploiting the zero-day as "limited" and "targeted." The attacks were primarily aimed at Windows 7 systems; however, other Windows versions are also impacted.

According to Microsoft all currently supported versions of the Windows and Windows Server operating systems are vulnerable; however, the zero-day is less effective in Windows 10, where the atmfd.dll file is either not present, or runs inside an AppContainer sandbox with limited privileges and capabilities.

Security updates are currently not available. Microsoft intimated that they might arrive during next month's Patch Tuesday -- currently scheduled for April 14.

In the meantime, Microsoft has published a series of mitigations that companies and home users can take if they believe they might be targeted with a Windows zero-day attack. Microsoft said the mitigations are not  needed for Windows 10 systems, where the zero-day has a reduced impact.

Mitigations for other operating systems include taking actions like:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient service
  • Renaming ATMFD.DLL

Article updated on March 24 at 11:00am ET with new information from the Microsoft security advisory about Windows 10's status.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards