Microsoft is warning customers about two newly discovered remote code execution vulnerabilities in Windows that are related to the Adobe Type Manager that are under active attack right now.
The vulnerabilities affect most of the currently supported versions of Windows desktop and server and Microsoft has rated the bigs as critical for all of the affected releases. The company said that it is aware of some targeted attacks that are exploiting these vulnerabilities, making them quite dangerous for end users and enterprises. Attackers could exploit the flaws in a couple of ways, including through a simple malicious Office document.
Microsoft is working on patches, but the next scheduled release would not be until April 14.
“Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released,” the Microsoft advisory says.
“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”
The Adobe Type Manager is a font-management library that has been in use in macOS and Windows for many years. Although the vulnerabilities are rated critical in all of the affected versions, they may have different outcomes on different versions. For example, on Windows 10 a successful attack would only grant the attacker limited privileges as it would be within the context of an AppContainer sandbox.
Although there is no patch available for these flaws, there are some workarounds that can mitigate the effects of the most dangerous exploits against them. Disabling the Preview Pane Details and Web Client services in Windows can be useful workarounds.
“Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability,” the advisory says.
The second mitigation, turning off the WebClient service, provides an even better mitigation of the flaws.
“Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet,” the advisory says.