www.belgium.be Logo of the federal government

Microsoft Windows Type 1 Font Parsing Remote Code Execution Vulnerability

Reference: 
Advisory #2020-008
Version: 
1.0
Affected software: 
Microsoft Windows - Adobe Type Manager Library
Type: 
Remote Code Execution (RCE), Information Disclosure
Date: 
24/03/2020

Sources

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006

https://www.zdnet.com/article/microsoft-warns-of-windows-zero-day-exploited-in-the-wild/

https://www.helpnetsecurity.com/2020/03/23/windows-zero-days/

Risks

An attacker could exploit the vulnerability in multiple ways, including:

 - Allowing attackers to run code on the user's system.

 - Performing actions as a privileged user.

 - Viewing the Windows Preview pane.

Description

There are 2 Remote Code Execution vulnerabilities present in the Adobe Type Manager Library (atmfd.dll), this library is used by Microsoft to render PostScript Type 1 fonts and is part of the default installation of Windows operating systems.

A patch is currently not available. However, Microsoft has released workarounds to mitigate the threat until patches are available.

Some of the mitigations include

 - Disabling the Preview Pane and Details Pane in Windows Explorer.

 - Disabling the WebClient Service

 - Renaming the affected "atmfd.dll" file.

For an overview of the mitigations and their impact for each Windows OS version, please read the official advisory of Windows which can be found here.

Recommended Actions

Microsoft released an advisory for this vulnerability. 

CERT.be recommends applying the mitigations and apply the patch a soon as possible once released (next patch Tuesday - 31/03/2020).