Adobe Type Manager Library Font Parsing Remote Code Execution Vulnerabilities Exploited in the Wild (ADV200006)
By: Ryan Seguin
DEK: Microsoft releases an out-of-band advisory for remote code execution vulnerabilities being actively exploited in the wild.
Update March 24, 2020: Microsoft has updated their advisory with additional clarifying information, and our analysis and proof of concept sections have been updated to reflect the change.
On March 23, Microsoft released an advisory for two vulnerabilities in Adobe Type Manager (ATM) Library, an integrated PostScript font library found in all versions of Windows. Although the name of the ATM library came from an Adobe developed tool, ATM Light, Microsoft included native support for the ATM fonts with the release of Windows Vista in 2007. These vulnerabilities therefore exist within Windows’ native integration for support of PostScript fonts.
To be clear and despite its name, this is *not* Adobe code. Microsoft was given the source code for ATM Light for inclusion in Windows 2000/XP. After that, Microsoft took 100% responsibility for maintaining the code.— Rosyna Keller (@rosyna) March 23, 2020
Exploitation of these vulnerabilities could result in code execution on affected systems. Users are urged to implement Microsoft’s suggested workarounds to reduce risk until a patch is available.
At the time this blog post was published, there were no assigned CVE identifiers for the two vulnerabilities in Microsoft’s advisory. According to the advisory, an attacker could gain code execution on a vulnerable machine after a user on that machine opened a specially crafted document or viewed that document in the Windows Preview pane.
The vulnerabilities exist within the way that Windows parses OpenType fonts. Successful exploitation would require an attacker to convince a user to open a malicious document or visit a malicious page that exploits the WebClient service which is normally listening for WebDAV file shares.
Microsoft also states: “The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015. Please see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.”
Proof of concept
There are no known public proofs of concepts available for these vulnerabilities at this time, but Microsoft notes it is aware of “limited targeted Windows 7 based attacks” exploiting these vulnerabilities in the wild.
Microsoft released its advisory outside of the normal update cycle to provide workarounds, noting that a fix is forthcoming.
Microsoft offers several workarounds, including disabling the Preview pane and Details pane in Windows Explorer, disabling the WebClient service and renaming the Adobe Type Manager Font Driver dll file (ATMFD.dll). For the full details on the workarounds and their impact, please review the Workarounds section of the advisory. Organizations should deploy those workarounds as necessary.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Tenable will release plugins once a patch is available from Microsoft, which is expected to be released on April’s Patch Tuesday based on Microsoft’s wording in the FAQ section of Microsoft’s advisory.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.