An unpatched Windows zero-day flaws are currently being exploited in limited and targeted attacks, Microsoft stated. Microsoft is warning against this vulnerability, as the flaws in the Windows OS may allow for remote code execution. According to Microsoft, the remote code execution vulnerabilities exist in the Windows Adobe Type Manager Library's handling of some fonts. Adobe Type Manager is a font management tool, part of both Windows and Mac OS, produced by Adobe. Although there are no patches out yet, there are ways users can protect themselves.
Microsoft shared they are aware of the attacks
The flaw exists because the Windows version of Adobe Type Manager Library handles a multi-master font (Adobe Type 1 PostScript format) improperly. Type 1 vector outline fonts are a form of PostScript, the world printing and imaging standard. They contain instructions for making outlines from scalable curves and lines, making solid shapes of letters and symbols.
It turns out the flaw allows multiple ways an attacker may exploit these vulnerabilities, according to Microsoft. Attackers may use social engineering to convince users to open poisoned documents or to view them in the Windows Preview pane. The Windows Preview pane is used by File Explorer in Windows 10 to preview video, photos, and other content. At the moment, all currently supported versions of the Windows OS are affected.
Workarounds are possible, according to Microsoft
Although there are no patches available at this time, Microsoft shared a few workarounds and mitigations to counteract the flaw. They include disabling the preview pane and the details pane in Windows. Blocking it means File Explorer (or Windows Explorer in versions older than Windows 10) will not automatically open the display OpenType fonts.
Disabling the Preview pane and Details panes prevent malicious files from being viewed, but it doesn't prevent an authenticated user from running a program to exploit the vulnerability.
Disabling the WebClient service is another workaround, according to Microsoft. That allows users to block the Web Distributed Authoring and Versioning (WebDAV) client service. WebDAV is an HTTP extension allowing users to perform remote web content actions. That is something Microsoft considers an attack vector at the moment. It is still possible for attackers to make the program run programs via any computer linked to the Local Area Network (LAN), but users may be asked by programs to confirm before opening programs from the Internet.
Renaming ATMFD.DLL is a third workaround to the problem. The DLL file is the name of the Adobe Type Manager Font Driver (ATMFD). The company noted that systems supporting versions of Windows 10 would have code execution in an Appcontainer sandbox in case of an attack, with limited capability and privileges.
Microsoft shared they were working on a fix and a patch that should come out during the scheduled patch on April 14.