Microsoft warned today of targeted attacks actively exploiting two zero-day remote code execution (RCE) vulnerabilities found in the Windows Adobe Type Manager Library and impacting all supported versions of Windows.
"Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released," the company says.
The two RCE security flaws exist in Microsoft Windows "when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format."
Microsoft has rated the vulnerabilities as Critical and says that they are impacting machines running desktop and server Windows releases, including Windows 10, Windows 8.1, Windows 7, and multiple versions of Windows Server.
Microsoft says that a fix for the vulnerabilities is currently being developed and hints at a future release coming during next month's Patch Tuesday (on April 14).
"Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month," the advisory reads.
"This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers."
Users of Windows 7, Windows Server 2008, or Windows Server 2008 R2 are required to have an ESU license to receive future security updates fixing these issues (more information here).