Operating System:

[Win]

Published:

25 March 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2020.0066.2
        Critical RCE in Windows' Adobe Type Manager Library (ATMFD)
                          announced out of cycle
                               25 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Windows 10
                      Windows 7
                      Windows 8.1
                      Windows RT 8.1
                      Windows Server 2008
                      Windows Server 2012
                      Windows Server 2016
                      Windows Server 2019
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Mitigation
Member content until: Thursday, April 23 2020

Revision History:     March 25 2020: Added MS note - mitigation not recommended
                                     on Windows 10
                      March 24 2020: Initial Release

OVERVIEW

        Microsoft has published information about a critical vulnerability
        in Windows, in the Windows Adobe Type Manager Library, enabling
        remote code execution when viewing a file containing crafted fonts.
        
        Microsoft advises that there are "limited targeted attacks" in the wild,
        exploiting this vulnerability.
        
        Microsoft are working on an out-of-band patch, but for now only
        mitigation steps are available.
        
        UPDATE: Microsoft is not aware of any attacks against the
        Windows 10 platform and does not recommend implementing the
        provided workarounds on Windows 10.
        [1]


IMPACT

        Microsoft advises:
        
        "Two remote code execution vulnerabilities exist in Microsoft Windows
        when the Windows Adobe Type Manager Library improperly handles
        a specially-crafted multi-master font - Adobe Type 1 PostScript format."
        
        "There are multiple ways an attacker can exploit the vulnerability,
        such as convincing a user to open a specially crafted document
        or viewing it in the Windows Preview pane." [1]


MITIGATION

        "Microsoft is aware of this vulnerability and working on a fix." [1]
        This fix will likely be released before the next Patch Tuesday,
        which is scheduled for April 14th.
        
        In the meantime, Microsoft has published mitigation instructions
        which involve disabling affected features in the Windows Explorer
        file browser, disabling the WebClient service, and optionally disabling
        the whole Adobe Type Manager Font Driver (ATMFD) DLL. [1]


REFERENCES

        [1] Windows: Type 1 Font Parsing Remote Code Execution Vulnerability
            https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXnqYGmaOgq3Tt24GAQjCdRAA2gntT+Q5XHCDciibeQ1VcfXYS10+Y0dk
vze9JTn+j/XT9PpSSOTaitfdXpTBsk+Q+Dh+Helj+apfBxL14vR8aBgaOu0/3ogM
3yF7pWXmwyQHvEbPDwjRkU7ATDEQeQGwMHZYNWfz3R8hYXO07QIRz8iMWoD4D3OP
86lE2eYQYSUiZ6GnnKS2PtUGRHNw46K8x8lVc+NUkwJ1jLhLNNkFp7wQgTG8Vf33
qvGH4P2plX4X3IixsmVZAMLeLPm/K4LEti0FTVDq1u0X/H0Op/QJZ9jsMhPgMq+N
/lk+Ws35vgy5Qj7Ej5g2n/jDM2JrYxFFFy2RalUsSU//sSXnRQv0K1yzdqeIv+oa
6dIu7NWjBW77IzKhQJbP+oXaqAUlPmMuxJgB4FP8MJ2swbZJvDOgSi29kmAX9/Lm
MdOHiNh4lyUktg7bMn57pDaxYmpMOHp7v4T7P0956YolrnljjUh/gR9BS6kITSV3
3QZohVX5llFT1IgmIvBXqRBW/3Gh+NuA47/SNUI8JDjOOJzS/BAq49JN36XpAEiG
bu8e6DqO18SL5nDdOhTFM7ZwWDflxRIk4znJLpOyEJMgT/UHlnM+YOlQ5B9f3NM6
y7dZ6fu9u0n7AwovAbmshzYPzZBc7y3FFJQbDLk+/yfpWOQmSGOiY6OZbq0LGbzQ
WCnygr4hEQc=
=d65i
-----END PGP SIGNATURE-----