Amidst the global pandemic, there has been an emerge of a zero-day reported in Microsoft Windows. On March 23, Microsoft acknowledged the existence of a critical security vulnerability in multiple versions of Windows and Windows Server, in Adobe Type Manager (ATM) Library, an integrated PostScript font library found in all versions of Windows.
Microsoft explains that there are two remote code execution vulnerabilities that can crop up when the Adobe Type Manager Library tries to handle an Adobe Type 1 PostScript font. Type 1 vector outline fonts are a specialized form of PostScript (the worldwide printing and imaging standard), that contain instructions for building outlines from scaleable lines and curves like it is filled to create the solid shapes of letters and other glyphs. This can happen when a specially-crafted document is opened or even just previewed in the Windows Explorer Preview pane.
The way that Windows parses OpenType fonts make this vulnerability exploitable. For example, a normal user could be convinced by an attacker to open a specially crafted document or view it in the Windows Preview pane. Windows Preview pane is used by the Windows Explorer file manager application to manage all types of existing files.
At Qualys Labs, we’ve tried to resolve the issue, reported for ADV200006.
All supported Windows and Windows Server operating systems are affected.
Windows 7, 8.1, RT 8.1, 10, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019
Microsoft releases an out-of-band advisory for remote code execution vulnerabilities being actively exploited in the wild.
Workarounds, includes disabling the Preview pane and Details pane in Windows Explorer, disabling the WebClient service and renaming the Adobe Type Manager Font Driver dll file (ATMFD.dll) as quoted by Microsoft.
Qualys customers can scan their network with QID(s)# 91617 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources: