Updates for the critical-rated vulnerabilities,
which are being actively exploited in the wild, are still weeks away
Attackers are actively
exploiting two previously undisclosed security vulnerabilities that affect all
supported as well as some of the no-longer-supported versions of the Windows
operating system, Microsoft
announced in an out‑of‑band advisory on Monday.
The security flaws, rated
as critical, are being abused for limited targeted attacks. This would imply
campaigns by advanced threat actors compromising carefully chosen targets. That
said, citing the need to “help reduce customer risk until the security update
is released”, the tech giant disclosed the flaws publicly.
“Two remote code execution
vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library
improperly handles a specially-crafted multi-master font – Adobe Type 1
PostScript format,” said the tech giant. Adobe Type Manager is a font
management tool that helps Windows handle and render fonts.
There are several ways how
bad actors can leverage the flaws, including by tricking their targets into
opening a booby-trapped file or into viewing it in the Windows Preview pane,
said Microsoft.
Microsoft is aware of limited
targeted attacks that could leverage unpatched vulnerabilities in the Adobe
Type Manager Library, and is providing guidance to help reduce customer risk
until the security update is released. See the link for more details. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006 …
Patch?
The flaws affect all
supported versions of Windows, including Windows 10, as well as systems that
are past end‑of‑life, notably Windows 7. Importantly, no patch is
available for any of them, and Microsoft hinted that the fix wouldn’t arrive
until the forthcoming Patch Tuesday rollout of security updates on April 14th. Even so,
machines running the retired operating systems won’t receive the update even
after it’s shipped – unless their owners are enrolled in Microsoft’s Extended
Security Updates (ESU) program.
While the flaws are rated
as critical for all affected systems, the company noted that on Windows 10 the
potential for exploitation is limited. “For systems running supported versions
of Windows 10 a successful attack could only result in code execution within an
AppContainer sandbox context with limited privileges and capabilities,” said
the tech giant. As of the time of writing, the vulnerabilities have yet to be
assigned CVE identifiers.
Microsoft suggested a slew
of temporary mitigations and workarounds to counter the risk while the patch is
in the works. These include disabling the Preview Pane and Details Pane in
Windows Explorer and renaming the library (atmfd.dll). Step-by-step guidance is
available in the company’s advisory.
Weeks ago, Microsoft
released patches for a critical
cryptographic flaw in Windows and a zero-day in Internet
Explorer. ESET researchers
uncovered an exploit in 2018 that leveraged a pair
of two zero-days in
Adobe Reader and Windows, while last year they found an exploit that abused
another Windows
zero-day vulnerability (CVE‑2019‑1132).