Microsoft Alerts Users About Critical Font-related Remote Code Execution Vulnerability in Windows

Microsoft released a security advisory on a zero-day remote code execution (RCE) vulnerability affecting Windows operating systems. The vulnerability is found in an unpatched library.

The vulnerability comprises two RCE flaws found in Adobe Type Manager Library (atmfd.dll), a built-in library for the Adobe Type Manager font management tool in Windows. The library is used to render fonts using the Adobe Type 1 PostScript format, the mishandling of which results in a vulnerability.

Threat actors can exploit the vulnerability in a variety of ways, such as luring users into opening a specially crafted document or viewing it in the Windows Preview pane. Upon exploiting the vulnerability, threat actors can run code and perform actions on the user’s system, unbeknown to the user.

Because it can be used for RCE, Microsoft rated the severity of this vulnerability as critical, although the company described the attacks that could exploit it as limited and targeted. All currently supported versions of Windows are affected.

Earlier this month, Microsoft found and patched an RCE flaw in its Server Message Block (SMBv3) protocol.

Vulnerability Workarounds

While there is no fix yet, Microsoft recommended mitigations and workarounds in its security advisory, including step-by-step instructions on how to apply them. The workarounds include the following:
  • Disable the Preview Pane and Details Pane in Windows Explorer. This prevents the automatic display of OpenType fonts (OTFs) in Windows Explorer and the viewing of malicious files. However, it doesn’t stop local, authenticated users from running specially crafted programs that exploit the vulnerability.
  • Disable the WebClient service. This blocks remote attacks coursed through the Web Distributed Authoring and Versioning (WebDAV) client service. After the application of this workaround, remote attackers can still run programs on a user’ computers or local area network (LAN). But this time, a confirmation will be requested from the user before launching arbitrary programs from the internet.
  • Rename atmfd.dll through an administrative command prompt. This is not available for Windows 10 version 1709 and subsequent versions.
Users are advised to deploy operating system updates as soon as they are available. 

Trend Micro Solutions

Trend Micro users and customers are protected from the exploitation of this vulnerability with the following rule:
  • Deep Security and Vulnerability Protection Rule 1010207 - Microsoft Windows Multiple Type1 Font Parsing Remote Code Execution Vulnerabilities
  • TippingPoint Filter 37431: HTTP: Microsoft Windows Type 1 PostScript Parsing Memory Corruption Vulnerability

Updated on March 24, 2020 09:00 PM EST to include Trend Micro solutions.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.