Microsoft issues advisory for two zero-day RCE vulnerabilities exploited in the wild (updated)

Microsoft issues advisory for two zero-day RCE vulnerabilities exploited in wild

Microsoft has issued a new security advisory for two remote code execution (RCE) vulnerabilities in Adobe Type Manager (ATM) Library exploited in the wild. The company also issued new updates regarding Windows 10 system severity and workaround guidance.

Article updated on March 26, 2020.

Microsoft warned of “limited targeted attacks that could leverage un-patched vulnerabilities” in the Adobe Type Manager Library (atmfd.dll), a library that Microsoft uses to render PostScript Type 1 fonts in Windows.

Furthermore, Microsoft added another update on Tuesday that there have been limited targeted attacks against Windows 7 systems.

“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format,” Microsoft stated in the advisory.

“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

As a result, the company is providing workaround guidance to reduce the risk until a permanent patch is released.

Those workarounds include (depending on OS version):

  1. Disabling the Preview Pane and Details Pane in Windows Explorer
  2. Disabling the WebClient service
  3. Renaming ATMFD.DLL.

The CERT Coordination Center also issued a security advisory and stated the third option, renaming ATMFD.DLL, appears to be to the most effective workaround as it blocks vulnerable code from being used by Windows.

The initial CVSS base score of 10 and severity of Critical.

This post will be updated as soon as a patch is made available.

Update on March 26, 2020:

Microsoft updated their advisory on the RCE vulnerability with the following statement:

“The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015.”

Microsoft also reduced the vulnerability severity for Windows 10 and server systems to Important (from Critical). The company also added updates to workarounds in the advisory.

Update on April 14, 2020:

Microsoft updated advisory to include reference to CVE-2020-1020 for this vulnerability.

Related articles