According to Microsoft, it has discovered “limited targeted” attacks in which criminal hackers exploit two previously unknown vulnerabilities in Windows systems to remotely install malware on their victims’ computers. Windows 10 is also affected by the problem.
The errors classified as “critical” cause Windows to treat certain fonts incorrectly. Criminals can take advantage of this by persuading users to open a prepared document or just looking at it in the Windows file preview. That alone is enough to be able to execute arbitrary code on the target system. For example, someone could spread encryption Trojans (ransomware) or banking Trojans.
All versions of Windows from Windows 7 onwards and thus also customers who still use the no longer supported 7-series system are potentially affected, for example some authorities in Germany. You will only receive security updates as part of the paid “Extended Security Update” support.
But all other users, including those using Windows Server 2008 or later, still have to wait for a patch. Microsoft will probably only distribute it on the next monthly patch Tuesday, which is not due until April 14th.
Until then, there are transitional solutions for the different versions, which Microsoft describes here. According to the company, they prevent at least the most likely attacks.