Pierluigi Paganini March 27, 2020

ACROS Security’s 0patch service released unofficial patches for two Windows flaws actively exploited by attackers in the wild.

ACROS Security’s 0patch service released unofficial patches for two Windows vulnerabilities actively exploited by attackers in the wild, both issues have yet to be fixed by Microsoft.

A few days ago, Microsoft warned of hackers actively exploiting two zero-day remote code execution vulnerabilities in Windows Adobe Type Manager Library. Both issues impact all supported versions of Windows.

The vulnerabilities affects the way Windows Adobe Type Manager Library handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.

“Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released.” reads the advisory published by Microsoft.

“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.”

Microsoft announced that it plans to address the flaws with the release of the next month’s Patch Tuesday scheduled on April 14.

Microsoft pointed out that a successful attack on systems running supported versions of Windows 10 could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.

Microsoft described multiple attack scenarios, the attackers could trick victims into opening a specially crafted document or viewing it in the Windows Preview pane. The vulnerabilities could not be exploited through Internet Explorer or the Outlook preview pane.

The flaws impact all supported versions of Windows.

Microsoft pointed out that a successful attack on systems running supported versions of Windows 10 could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.

Microsoft suggests disabling the Preview Pane and Details Pane in Windows Explorer to mitigate the risk of exploitation of both zero-day flaws. Another mitigation consists of disabling the WebClient service, it allows to block the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. Another workaround is renaming the actual library ‘ATMFD.DLL.’

Waiting for the official patches, 0patch developed an unofficial patch and will release it for free, Once the official patches will be released by Microsoft, the 0patch fix will be available to its paying customers.

The security patches developed by 0patch address the issues for Windows 7 and Windows Server 2008 R2 without ESU. The service will also release unofficial patches for Windows 7 and Server 2008 R2 with ESU, Windows 8.1, and Windows Server 2012.

“With this micropatch in place, all applications using Windows GDI for font-related operations will find any Adobe Type 1 PostScript fonts rendered invalid and unable to load,” reads a post containing technical details of the patches released by 0patch.

Below a video published by the experts that shows the micropatch in action:

Pierluigi Paganini

(SecurityAffairs – Windows patches, zero-days)

[adrotate banner=”5″]

[adrotate banner=”13″]