Microsoft is warning of critical zero-day flaws in its Windows operating system that could enable remote code execution. The unpatched flaws are being exploited by attackers in “limited, targeted” attacks, the company said.
According to Microsoft, two remote code execution vulnerabilities exist in the way that Windows’ Adobe Type Manager Library handles certain fonts. Adobe Type Manager is a font management tool built into both Mac OS and Windows operating systems, and produced by Adobe. While no patches are available for the flaws, workaround mitigations can protect users.
“Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released,” according to a Monday Microsoft security advisory.
Specifically, the flaw exists because the Windows version of Adobe Type Manager Library improperly handles a specially-crafted multi-master font (called the Adobe Type 1 PostScript format). Type 1 vector outline fonts are a specialized form of PostScript (the worldwide printing and imaging standard), which contain instructions for building outlines from scaleable lines and curves (filled to create the solid shapes of letters and other glyphs), according to Adobe.
Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing guidance to help reduce customer risk until the security update is released. See the link for more details. https://t.co/tUNjkHNZ0N
— Security Response (@msftsecresponse) March 23, 2020
There are multiple ways an attacker could exploit the vulnerabilities, Microsoft said. For example, an attacker could convince a user to open a specially crafted document or view it in the Windows Preview pane. Windows Preview pane is used by the Windows Explorer (which is called File Explorer in Windows 10) file manager application to preview pictures, video, and other content.
All currently-supported versions of Windows are affected, including Windows 10, as well as versions of Windows 7, Windows 8.1, Windows RT, Windows Server 2008, Windows Server 2012, Windows Server 2016 and Windows Server 2019 (a full list of affected versions can be found in the advisory). Windows 7 is also affected, though it has reached end of support, said Microsoft.
Workarounds
While no patches are available yet, Microsoft recommended a slew of mitigations and workarounds. That includes disabling the preview pane and details pane in Windows. Blocking this would mean that Windows Explorer (or File Explorer in Windows 10) will not automatically display OpenType fonts.
“Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer,” said Microsoft. “While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.”
Other workarounds include disabling the WebClient service. Microsoft said that disabling this service blocks the Web Distributed Authoring and Versioning (WebDAV) client service, which is a “likely remote attack vector.” WebDAV is an HTTP extension that allows clients to perform remote Web content authoring operations.
“After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet,” said Microsoft.
Another workaround is renaming ATMFD.DLL (the file name of Adobe Type Manager Font Driver), said Microsoft. The company also noted that for systems running supported versions of Windows 10, a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.
Microsoft said it is currently working on a fix and that a patch would likely come during its regularly scheduled Patch Tuesday updates (scheduled for April 14).
“Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month,” according to Microsoft. “This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.”
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.
