Amidst the global pandemic, there has been an emerge of a zero-day reported in Microsoft Windows. On March 23, Microsoft acknowledged the existence of a critical security vulnerability in multiple versions of Windows and Windows Server, in Adobe Type Manager (ATM) Library, an integrated PostScript font library found in all versions of Windows.
Microsoft explains that there are two remote code execution vulnerabilities that can crop up when the Adobe Type Manager Library tries to handle an Adobe Type 1 PostScript font. Type 1 vector outline fonts are a specialized form of PostScript (the worldwide printing and imaging standard), that contain instructions for building outlines from scaleable lines and curves like it is filled to create the solid shapes of letters and other glyphs. This can happen when a specially-crafted document is opened or even just previewed in the Windows Explorer Preview pane.
The way that Windows parses OpenType fonts make this vulnerability exploitable. For example, a normal user could be convinced by an attacker to open a specially crafted document or view it in the Windows Preview pane. Windows Preview pane is used by the Windows Explorer file manager application to manage all types of existing files.
At Qualys Labs, we’ve tried to resolve the issue, reported for ADV200006.
All supported Windows and Windows Server operating systems are affected.
Windows 7, 8.1, RT 8.1, 10, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019
Microsoft releases an out-of-band advisory for remote code execution vulnerabilities being actively exploited in the wild.
Workarounds, includes disabling the Preview pane and Details pane in Windows Explorer, disabling the WebClient service and renaming the Adobe Type Manager Font Driver dll file (ATMFD.dll) as quoted by Microsoft.
Qualys customers can scan their network with QID(s)# 91617 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources:
2 thoughts on “Microsoft Windows Adobe Type Manager Library Remote Code Execution zero-day Vulnerability (ADV200006)”
Microsoft says they are “not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds”. However, Qualys scanner reports high vulnerabilities for Server 2016 and 2019. Should that not be lower?
Agreed. It seems reasonable that the threat level would be lower for Windows 10 assets. Can Qualys explain the rationale applied to the rating for Windows 10 devices in light of Microsoft’s guidance?