A flaw in the Win32k TrueType font-parsing engine affected every version of Windows from XP through Windows 7, Microsoft said in a security advisory.
The vulnerability is related to the spread of the Duqu malware, a Stuxnet-like Trojan infecting computers through a Word document. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the advisory warns.
Microsoft said it is aware of targeted attacks that try to use the reported vulnerability, but that overall customer impact is currently low.
Microsoft has shared detailed information on how to build detection into security software with partner companies, which will soon issue software updates to combat the issue, Jerry Bryant, group manager of Microsoft's Response Communications and Trustworthy Computing groups, said in a blog post.
"This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability," Bryant wrote. "Therefore, we encourage customers to ensure their antivirus software is up-to-date."
The security advisory said that on completion of the investigation into the vulnerability, Microsoft may provide a security update through the monthly release process or provide an out-of-cycle security update, depending on customer needs.