Microsoft disclosed a vulnerability on Windows operating systems that could lead to a remote hack of systems running Windows. The company said in its security advisory that there are ongoing “limited” attacks using this vulnerability. While it has not patched this vulnerability yet, it has offered ways to short-circuit the hack before it happens; one of the ways to do so is to disable a feature in Windows Explorer.
Microsoft said that the vulnerability is on Windows 10, Windows 8 and its upgrades, Windows 7, and Windows Server 2008. “Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released,” the company said.
This disclosure comes two months after support for Windows 7 ended. That operating system, released in 2009, still runs on millions of PCs. Microsoft said that it wouldn’t be pushing the fix to this vulnerability to every Windows 7 user because of the expiry of support for it. Enterprise customers would need to purchase an Extended Security Update license to receive the fix for this vulnerability.
This approach indicates that Microsoft doesn’t believe this to be a major enough vulnerability to warrant reaching customers running on expired operating systems; in 2019, the company issued an urgent fix even to home versions of Windows XP, whose support ended years ago, after the outbreak of WannaCry ransomware on networks around the world.