Microsoft releases an out-of-band advisory for remote code execution vulnerabilities being actively exploited in the wild.
Background
On March 23, Microsoft released an advisory for two vulnerabilities in Adobe Type Manager (ATM) Library, an integrated PostScript font library found in all versions of Windows. Although the name of the ATM library came from an Adobe developed tool, ATM Light, Microsoft included native support for the ATM fonts with the release of Windows Vista in 2007. These vulnerabilities therefore exist within Windows’ native integration for support of PostScript fonts.
To be clear and despite its name, this is *not* Adobe code. Microsoft was given the source code for ATM Light for inclusion in Windows 2000/XP. After that, Microsoft took 100% responsibility for maintaining the code.
— Rosyna Keller (@rosyna) March 23, 2020
Exploitation of these vulnerabilities could result in code execution on affected systems. Users are urged to implement Microsoft’s suggested workarounds to reduce risk until a patch is available.
Analysis
At the time this blog post was published, there were no assigned CVE identifiers for the two vulnerabilities in Microsoft’s advisory. According to the advisory, an attacker could gain code execution on a vulnerable machine after a user on that machine opened a specially crafted document or viewed that document in the Windows Preview pane.
The vulnerabilities exist within the way that Windows parses OpenType fonts. Successful exploitation would require an attacker to convince a user to open a malicious document or visit a malicious page that exploits the WebClient service which is normally listening for WebDAV file shares.
Proof of concept
There are no known public proofs of concepts available for these vulnerabilities at this time, but Microsoft notes it is aware of “limited targeted attacks” exploiting these vulnerabilities in the wild.
Vendor response
Microsoft released its advisory outside of the normal update cycle to provide workarounds, noting that a fix is forthcoming.
Solution
Microsoft offers several workarounds, including disabling the Preview pane and Details pane in Windows Explorer, disabling the WebClient service and renaming the Adobe Type Manager Font Driver dll file (ATMFD.dll). For the full details on the workarounds and their impact, please review the Workarounds section of the advisory. Organizations should deploy those workarounds as necessary.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Tenable will release plugins once a patch is available from Microsoft, which is expected to be released on April’s Patch Tuesday based on Microsoft’s wording in the FAQ section of Microsoft’s advisory.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.