Attackers are actively exploiting two previously undisclosed security vulnerabilities that affect all supported as well as some of the no-longer-supported versions of the Windows operating system, Microsoft announced in an out‑of‑band advisory on Monday.
The security flaws, rated as critical, are being abused for limited targeted attacks. This would imply campaigns by advanced threat actors compromising carefully chosen targets. That said, citing the need to “help reduce customer risk until the security update is released", the tech giant disclosed the flaws publicly.
“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format,” said the tech giant. Adobe Type Manager is a font management tool that helps Windows handle and render fonts.
There are several ways how bad actors can leverage the flaws, including by tricking their targets into opening a booby-trapped file or into viewing it in the Windows Preview pane, said Microsoft.
Patch?
The flaws affect all supported versions of Windows, including Windows 10, as well as systems that are past end‑of‑life, notably Windows 7. Importantly, no patch is available for any of them, and Microsoft hinted that the fix wouldn’t arrive until the forthcoming Patch Tuesday rollout of security updates on April 14th. Even so, machines running the retired operating systems won’t receive the update even after it’s shipped – unless their owners are enrolled in Microsoft’s Extended Security Updates (ESU) program.
While the flaws are rated as critical for all affected systems, the company noted that on Windows 10 the potential for exploitation is limited. “For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities,” said the tech giant. As of the time of writing, the vulnerabilities have yet to be assigned CVE identifiers.
Microsoft suggested a slew of temporary mitigations and workarounds to counter the risk while the patch is in the works. These include disabling the Preview Pane and Details Pane in Windows Explorer and renaming the library (atmfd.dll). Step-by-step guidance is available in the company’s advisory.
Weeks ago, Microsoft released patches for a critical cryptographic flaw in Windows and a zero-day in Internet Explorer. ESET researchers uncovered an exploit in 2018 that leveraged a pair of two zero-days in Adobe Reader and Windows, while last year they found an exploit that abused another Windows zero-day vulnerability (CVE‑2019‑1132).