Windows users under attack via two new RCE zero-days

Attackers are exploiting two new zero-days in the Windows Adobe Type Manager Library to achieve remote code execution on targeted Windows systems, Microsoft warns.

Windows zero-days

The attacks are limited and targeted, the company noted, and provided workarounds to help reduce customer risk until a fix is developed and released.

More about the new Windows zero-days

According to the security advisory published on Monday, the vulnerabilities arise from the affected library’s improper handling of a specially-crafted multi-master font – Adobe Type 1 PostScript format.

“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane,” the company shared, and said that the Outlook Preview Pane is not an attack vector for this vulnerability.

The flaws affect:

  • Windows 10
  • Windows 8.1
  • Windows 7
  • Windows RT 8.1
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 2016
  • Windows Server 2019
  • Windows Server, version 1803
  • Windows Server, version 1903
  • Windows Server, version 1909

“For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities,” Microsoft added.

Mitigations and workarounds

Enhanced Security Configuration, which is on by default on Windows Servers, does not mitigate the vulnerabilities.

Offered workarounds include disabling the Preview Pane and Details Pane in Windows Explorer, disabling the WebClient service, and renaming the ATMFD.DLL file. Microsoft explains how to do all that and the impacts of these workarounds in the security advisory.

The company did not offer more details about the attacks nor did it say when the security updates will be released, but has noted that to receive them for Windows 7, Windows Server 2008, or Windows Server 2008 R2 users will have to have an Extended Security Updates (ESU) license.

UPDATE (March 24, 2020, 11:20 a.m. PT):

Microsoft has updated the advisory to say that “the threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015,” and that they are not aware of any attacks against the Windows 10 platform.

“The possibility of remote code execution is negligible and elevation of privilege is not possible,” the company noted, and advised IT administrators running Windows 10 not to implement the provided workarounds.

Don't miss