Critical Microsoft Security Flaw Exploits Windows Handling Of Font

Microsoft says it’s aware of ‘limited targeted attacks’ that take advantage of Windows Adobe Type Manager Library’s improper handling of a specially crafted multi-master font.


Hackers are exploiting an unpatched Windows security vulnerability that tricks users into opening a malicious document and then remotely runs malware on the system.

The Redmond, Wash.-based vendor said it’s aware of “limited targeted attacks” that take advantage of Windows Adobe Type Manager Library’s improper handling of a specially crafted multi-master font. Attackers could exploit the Adobe Type 1 PostScript format vulnerability by convincing a user to open a specially crated documents or viewing it in the Windows Preview pane, according to Microsoft.

“Microsoft is aware of this vulnerability and is working on a fix,” the company wrote in a security advisory published Monday. “Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.”

Sponsored post

[Related: NSA Sounds Alarm On Severe Microsoft Windows Security Flaw]

Although the Windows Preview Pane is an attack vector for this vulnerability, Microsoft said the Outlook Preview Pane is not an attack vector for this vulnerability. Enhanced Security Configuration – which is on by default on Windows Servers – does not mitigate this vulnerability, according to Microsoft.

Microsoft’s stock fell $1.37 (1 percent) to $135.98 in trading Monday, and then tumbled an additional $0.58 (0.43 percent) to $135.40 during after-hours trading.

The vulnerabilities are all supported versions of Windows, according to Microsoft. For systems running supported versions of Windows 10, Microsoft said a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.

To receive the security update for this vulnerability for Windows 7, Windows Server 2008 or Windows Server 2008 R2, Microsoft said users must have an Extended Security Update (ESU) license. The update is not being released to all Windows 7 customers since the operating system reached end of support on Jan. 14, 2020.

As far as workarounds are concerned, Microsoft said disabling the preview and details panes in Windows Explorer prevents the automatic display of OTF (OpenType format) fonts. While this prevents malicious files from being viewed in Windows Explorer, Microsoft said it doesn’t prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.

Users can additionally disable the WebClient service to protect affected systems from attempts to exploit this vulnerability by blocking the most likely attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. When this service is disabled, Microsoft said WebDAV requests aren’t transmitted and services that depend on the WebClient service won’t start.

After applying this workaround, Microsoft said it’s still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the Local Area Network (LAN). However, Microsoft said users will be prompted for confirmation before opening arbitrary programs from the Internet.

For Windows 8.1 operating systems and below, Microsoft said using the Registry Editor incorrectly can cause serious problems that may require users to reinstall their operating systems. Microsoft said it can’t guarantee that problems resulting from the incorrect use of Registry Editor can be solved.

Disabling the Adobe Type Manager Font Driver (ATMFD) will cause applications that rely on embedded font technology to not display properly, and can cause certain applications to stop working properly in they use OpenType fonts, Microsoft said. Third-party applications that install OpenType fonts natively could be affected by this change, according to Microsoft.