Published 30 Mar 2020

Microsoft has warned its customers about ongoing attempts to exploit two zero-day vulnerabilities that could allow remote code execution.

Both vulnerabilities relate to the Windows Adobe Type Manager Library, which is used to render Adobe PostScript fonts in Windows.

The company says:

“Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released. Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

The company did not comment on the success so far of exploit attempts, nor did it give an idea of the scale of related attacks other than by saying they are limited and targeted. For the exploit to succeed, the target needs to be manipulated into opening a specially crafted document, although it is also sufficient to simply view the corresponding folder in Windows Explorer if thumbnails and the preview pane are turned on. Microsoft says that the preview pane in Outlook is not an attack vector for this exploit, but it also notes that there are multiple ways in which an attacker could use this exploit.

Microsoft says that it is currently working on a patch for the vulnerability. It points out, however, that the second Tuesday of the month, popularly known as Patch Tuesday, is the usual time for security-related fixes. IT planners can then work around this predictable timing and schedule their update activities accordingly.

The vulnerability affects versions of Windows going back to Windows 7 and Windows Server 2008. While no patch was available at the time of writing, Microsoft did suggest some workarounds, including disabling the preview pane and thumbnails in Windows Explorer. This will prevent OpenType fonts (OTF) from being automatically displayed, cutting down the chances of success for the exploit. Microsoft also suggests turning off the WebClient service, because the WebDAV service appears to be a common attack vector for the associated exploits, although this will not help systems that have already been compromised.

The news of two unpatched vulnerabilities demonstrates that while patching is important, it is not the be all and end all of cybersecurity. Sometimes workarounds still need to be employed, and other technologies, such as you may find in managed IT support services, may be beneficial in closing down potential attack vectors. While we can provide all of the above at Pro-Networks, we also appreciate the importance of enabling employees to spot potential attacks and avoid facilitating an attack, such as by being manipulated into opening a malicious document that may compromise the security of your network.


Please share this post using any of the following share buttons.

Read similar posts to this article

Microsoft Confirms 5th October Rele...

Patched Windows systems remain vuln...

Microsoft acknowledges wormable vul...