Zero-day vulnerabilities in Adobe Type Manager Library affects multiple Windows OSs

Microsoft has posted a security advisory about vulnerabilities in Adobe Type Manager Library, which are already being exploited by cybercriminals.

Microsoft security advisory ADV200006

Updated on April 14.

Microsoft has issued a warning about two new vulnerabilities in the Adobe Type Manager Library. Moreover, according to their information, some attackers are already exploiting them in targeted attacks. On April 14, Microsoft released security updates that address these vulnerabilities.

What is Adobe Type Manager Library and how is it vulnerable

There were times when, to see proprietary Adobe fonts in Windows, you had to install additional software — Adobe Type Manager. This was not very convenient for the end users, so Adobe eventually opened the specifications for its formats and Microsoft built the font support into its operating systems. This is what Windows Adobe Type Manager Library is used for.

According to Microsoft, the problem is in how the library handles fonts of one particular format — Adobe Type 1 PostScript fonts. An attacker can craft a Type 1 PostScript font in such a way, that they gain the ability to execute arbitrary code on a Windows machine. There are several attack vectors to exploit the vulnerability — attackers can somehow convince the victim to open a malicious document or simply to view it through the “Preview Pane” (this refers to the system pane, and not to a similar function in the Microsoft Outlook mail client).

Attackers also can exploit this vulnerability through an extension to the HTTP called Web Distributed Authoring and Versioning (WebDAV), which allows users to collaborate on a document.

Microsoft suggests disabling the WebClient service, which allows you to use this feature, and stresses that this is the most likely remote attack vector.

Which systems are vulnerable

The vulnerability is present in 40 different versions of the operating systems Windows 10, Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012, Windows Server 2016 and Windows Server 2019. Microsoft security advisory ADV200006 contains a full list of vulnerable systems.

However, the company explains that in supported versions of Windows 10 a successful attack will only allow malicious code to be executed in the context of the AppContainer sandbox with limited privileges and capabilities.

Update: According to Microsoft exploitation of this vulnerability under Windows 10 is unlikely. They even lowered severity of this problem from “critical” to “important” and do not recommend to use any workarounds for this system. They also emphasize that targeted attacks were on Windows 7-based systems.

Is there a patch?

On April 14, Microsoft released security updates that address these vulnerabilities.

What to do

From our side, we suggest using a reliable security solution to protect e-mail (since this is the most common method of delivering malicious documents) and also have a protective endpoint solution that can stop malicious activity including exploits. Both tasks can be handled by Kaspersky Endpoint Security for Business advanced. It goes without saying that it’s better not to open documents and e-mail attachments if you are not sure where they came from.

As there are no patches yet, so Microsoft suggests using the following workarounds.

  • Turn off the preview and detail panes.
  • Turn off Webclient service (which will disable WebDAV).
  • Disable ATMFD.DLL library

You can find detailed instructions on how to do all three of these in Microsoft’s security guidance. It’s worth noting that disabling the Webclient service will result in WebDAV requests not being handled and applications relying on WebDAV will not be working correctly. The same is true for disabling ATMFD.DLL — applications that use it will not be working correctly in this case.