Microsoft: Targeted Attackers Are Exploiting Two Zero-Day Bugs

Written by

Microsoft is warning that targeted attackers are exploiting two Windows zero-day vulnerabilities in the wild.

Issued on Monday, the security advisory flags two previously undisclosed remote code execution (RCE) bugs. The flaws exist in Microsoft Windows when “the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.”

The vulnerabilities are rated critical and are present in Windows 7-10 and Server 2008 to 2019.

“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially-crafted document or viewing it in the Windows Preview pane,” Microsoft explained.

“Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.”

Until a patch is available, Microsoft is recommending customers disable the Preview Pane and Details Pane in Windows Explorer, which will mean OTF fonts are no longer automatically displayed.

Another workaround suggested in the security advisory is to disable the WebClient service, which will block what Microsoft described as the “most likely remote attack vector”: the Web Distributed Authoring and Versioning (WebDAV) client service.

However, doing so will mean WebDAV requests aren’t transmitted and any services depending on WebClient won’t start.

A third workaround is to rename ATMFD.DLL, although this doesn’t apply to Windows 10, which doesn’t run the DLL. If organizations decide to go down this path they should be aware that applications that rely on embedded font technology will not display properly.

What’s Hot on Infosecurity Magazine?