Microsoft warned of critical, zero-day flaws in Windows and Windows Server operating systems being actively exploited by attackers.

In a security advisory released today, Microsoft said it’s “aware of limited targeted attacks” using the remote-code execution vulnerabilities in Windows Adobe Type Manager Library, a font management tool. Once exploited, attackers could run malware and other malicious code on updated systems.

No patch exists yet, but Microsoft said it is working on a fix for the flaws. It didn’t, however, say when it would likely issue a patch. But in the security advisory, the vendor noted that “updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.”

Two remote-code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially crafted multi-master font: Adobe Type 1 PostScript format. According to Microsoft there are “multiple ways” that a hacker could exploit the bug, “such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

Until it issues a patch, Microsoft suggests that customers disable the preview pane and details pane in Windows Explorer as a workaround. But, it warns, while disabling these panes prevents malicious files from being viewed in Windows Explorer, it doesn’t prevent a local, authenticated user from exploiting the vulnerability.