[German]An unpatched vulnerability exists in the Adobe Type Manager Library in all supported versions of Windows. Meanwhile hackers are trying to exploit this vulnerability, as Microsoft writes in a security advisory. Addendum: 0patch has released a micropatch.
The information may be found in ADV200006, and addresses a vulnerability in the Adobe Type 1 Manager Library. This vulnerability has been brought to my attention via the following tweet and a security advisory from Microsoft.
Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing guidance to help reduce customer risk until the security update is released. See the link for more details. https://t.co/tUNjkHNZ0N
— Security Response (@msftsecresponse) March 23, 2020
Microsoft is aware of the limited number of targeted attacks that could exploit unpatched vulnerabilities in the Adobe Type Manager Library and is providing guidance to mitigate the risk until the security update is released.
Type 1 Font Parsing Remote Code Execution Vulnerability
In ADV200006 Microsoft describes two vulnerabilities in Microsoft Windows that allow remote code execution because the Windows Adobe Type Manager Library does not correctly handle a specially crafted multi-master font – the Adobe Type 1 PostScript format. An attacker could exploit the vulnerability, for example, by tricking a user into opening a specially crafted document or viewing it in the Windows preview window.
Microsoft quotes the vulnerability as critical and is also aware of this vulnerability, and is working on a solution. Updates that fix vulnerabilities in Microsoft software are usually released on Patch Tuesday (2nd Tuesday of the month). However, there is currently no security update available.
All Windows versions are affected, from Windows 7 SP1 to Windows 8.1 and Windows 10 – and of course all server counterparts. On systems running Windows 10, a successful attack can only occur in an AppContainer sandbox context, and thus only allows limited permissions and code execution capabilities
Workarounds to mitigate the vulnerability
In ADV200006, Microsoft specifies various measures to mitigate this vulnerability, which is considered critical. One measure is to switch off the preview for documents in Explorer. Another measure is to disable the library ATMFD.DLL.
Addendum: A German blog reader pointed out, that the mitigations in Microsoft’s support article are for older Windows 7 SP1/8.1 and Server-Systems. So in doubt check the support article mentioned above.
Currently there is no security update to close this vulnerability, although attempts to exploit the vulnerability have been reported. But Microsoft is working on a patch that is expected to be released on April 2020 patchday. However, Windows 7 SP1 and Windows Server 2008 R2 require an ESU license to obtain the security update that will be available at that time.
Addendum: ACROS Security has already released a micropatch for Windows 7 SP1 and Server 2008 R2 for their 0patch agent – see 0patch fixes 0-day Adobe Type Library bug in Windows 7.