Adobe Type Manager Library Font Parsing Remote Code Execution Vulnerabilities Exploited in the Wild (ADV200006)

Microsoft releases an out-of-band advisory for remote code execution vulnerabilities being actively exploited in the wild.

Update April 14, 2020: Microsoft has updated its advisory with reference to CVE-2020-1020, and our solution section has been updated as well.

Background

On March 23, Microsoft released an advisory for two vulnerabilities in Adobe Type Manager (ATM) Library, an integrated PostScript font library found in all versions of Windows. Although the name of the ATM library came from an Adobe developed tool, ATM Light, Microsoft included native support for the ATM fonts with the release of Windows Vista in 2007. These vulnerabilities therefore exist within Windows’ native integration for support of PostScript fonts.

To be clear and despite its name, this is *not* Adobe code. Microsoft was given the source code for ATM Light for inclusion in Windows 2000/XP. After that, Microsoft took 100% responsibility for maintaining the code.

— Rosyna Keller (@rosyna) March 23, 2020

Exploitation of these vulnerabilities could result in code execution on affected systems. Users are urged to implement Microsoft’s suggested workarounds to reduce risk until a patch is available.

Analisi

According to the advisory, an attacker could gain code execution on a vulnerable machine after a user on that machine opened a specially crafted document or viewed that document in the Windows Preview pane.

The vulnerabilities exist within the way that Windows parses OpenType fonts. Successful exploitation would require an attacker to convince a user to open a malicious document or visit a malicious page that exploits the WebClient service which is normally listening for WebDAV file shares.

Microsoft also states: “The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015. Please see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.”

Proof of concept

There are no known public proofs of concepts available for these vulnerabilities at this time, but Microsoft notes it is aware of “limited targeted Windows 7 based attacks” exploiting these vulnerabilities in the wild.

Vendor response

Microsoft released its advisory outside of the normal update cycle to provide workarounds.

Solution

Microsoft offers several workarounds, including disabling the Preview pane and Details pane in Windows Explorer, disabling the WebClient service and renaming the Adobe Type Manager Font Driver dll file (ATMFD.dll). For the full details on the workarounds and their impact, please review the Workarounds section of the advisory. Organizations should deploy those workarounds as necessary. An update to fix this vulnerability was released in Microsoft's April 2020 Patch Tuesday and can be found here.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

Get more information

• Microsoft Advisory for ADV200006
• Microsoft's Page for CVE-2020-1020

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.