by Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.
Links:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006
Summary:
- Authored by Kelly Sheridan on Dark Reading, the post details the advisory published by Microsoft (ADV200006) on March 23rd 2020
- Despite affecting all Windows versions, the vulnerability is most lethal on Windows 7 where it can allow an attacker to remotely execute code if exploited
- Microsoft has deemed this a critical vulnerability. Full details on Microsoft Advisory here.
- The exploit occurs when a specific multimaster font, Adobe Type 1, is mishandled by Adobe Type Manager
- To invoke this, attackers can craft documents to specifically leverage this vulnerability for nefarious purposes
- The exploit could occur when a user opens one of these documents or views it in the Windows Preview pane in Windows Explorer
- This does not apply to documents previewed in MS Outlook
- Whilst the vulnerability does apply to Windows 10 (amongst other versions), the exploit is a lot less powerful and an attacker has vastly reduced ability to execute
- Microsoft hasn’t released a fix yet, but advises workarounds in the meantime:
- Disable WebDAV client in Services (doesn’t prevent the exploit)
- Disable Preview Pane and Details Pane in Explorer
- Rename ATMFD.dll
Extracted Indicators:
- ADV200006
- ATMFD.dll
- fontdrvhost.exe
- WebDAV
Share Post:
