Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Adobe Type Manager Library Font Parsing Remote Code Execution Vulnerabilities Exploited in the Wild (ADV200006)

Adobe Type Manager Library Font Parsing Remote Code Execution Vulnerabilities Exploited in the Wild (ADV200006)

By: Ryan Seguin

DEK: Microsoft releases an out-of-band advisory for remote code execution vulnerabilities being actively exploited in the wild.

Update March 24, 2020: Microsoft has updated their advisory with additional clarifying information, and our analysis and proof of concept sections have been updated to reflect the change.

Background

On March 23, Microsoft released an advisory for two vulnerabilities in Adobe Type Manager (ATM) Library, an integrated PostScript font library found in all versions of Windows. Although the name of the ATM library came from an Adobe developed tool, ATM Light, Microsoft included native support for the ATM fonts with the release of Windows Vista in 2007. These vulnerabilities therefore exist within Windows’ native integration for support of PostScript fonts.

Exploitation of these vulnerabilities could result in code execution on affected systems. Users are urged to implement Microsoft’s suggested workarounds to reduce risk until a patch is available.

Analysis

At the time this blog post was published, there were no assigned CVE identifiers for the two vulnerabilities in Microsoft’s advisory. According to the advisory, an attacker could gain code execution on a vulnerable machine after a user on that machine opened a specially crafted document or viewed that document in the Windows Preview pane.

The vulnerabilities exist within the way that Windows parses OpenType fonts. Successful exploitation would require an attacker to convince a user to open a malicious document or visit a malicious page that exploits the WebClient service which is normally listening for WebDAV file shares.

Microsoft also states: “The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015. Please see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.”

Proof of concept

There are no known public proofs of concepts available for these vulnerabilities at this time, but Microsoft notes it is aware of “limited targeted Windows 7 based attacks” exploiting these vulnerabilities in the wild.

Vendor response

Microsoft released its advisory outside of the normal update cycle to provide workarounds, noting that a fix is forthcoming.

Solution

Microsoft offers several workarounds, including disabling the Preview pane and Details pane in Windows Explorer, disabling the WebClient service and renaming the Adobe Type Manager Font Driver dll file (ATMFD.dll). For the full details on the workarounds and their impact, please review the Workarounds section of the advisory. Organizations should deploy those workarounds as necessary.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Tenable will release plugins once a patch is available from Microsoft, which is expected to be released on April’s Patch Tuesday based on Microsoft’s wording in the FAQ section of Microsoft’s advisory.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.