Pierluigi Paganini March 23, 2020

Microsoft warns of hackers actively exploiting two zero-day remote code execution vulnerabilities in Windows Adobe Type Manager Library.

Microsoft warns of hackers exploiting two zero-day remote code execution (RCE) vulnerabilities in the Windows Adobe Type Manager Library, both issues impact all supported versions of Windows.

The vulnerabilities affects the way Windows Adobe Type Manager Library handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.

“Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released.” reads the advisory published by Microsoft.

“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.”

Microsoft describes multiple attack scenarios, the attackers could trick victims into opening a specially crafted document or viewing it in the Windows Preview pane.

The good news is that the number of targeted attacks in the wild exploiting the two RCE flaws is “limited”

Microsoft announced that it plans to address the flaws with the release of the next month’s Patch Tuesday scheduled on April 14.

“Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.” continues the advisory.

Microsoft pointed out that a successful attack on systems running supported versions of Windows 10 could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.

Microsoft suggests disabling the Preview Pane and Details Pane in Windows Explorer to mitigate the risk of exploitation of both zero-day flaws.

“Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.” states the advisory.

Another mitigation consists of disabling the WebClient service, it allows to block the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service.

“After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet,” Microsoft clarifies.

Another workaround is renaming the actual library ‘ATMFD.DLL.’

Pierluigi Paganini

(SecurityAffairs – zero-day, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]