Microsoft is warning of critical zero-day flaws in its Windows operating system that could enable remote code execution. The unpatched flaws are being exploited by attackers in “limited, targeted” attacks, the company said.

According to Microsoft, two remote code execution vulnerabilities exist in the way that Windows’ Adobe Type Manager Library handles certain fonts. Adobe Type Manager is a font management tool built into both Mac OS and Windows operating systems, and produced by Adobe. While no patches are available for the flaws, workaround mitigations can protect users.

“Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released,” according to a Monday Microsoft security advisory.



While no patches are available yet, Microsoft recommended a slew of mitigations and workarounds. That includes disabling the preview pane and details pane in Windows. Blocking this would mean that Windows Explorer (or File Explorer in Windows 10) will not automatically display OpenType fonts.

“Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer,” said Microsoft. “While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.”

Other workarounds include disabling the WebClient service. Microsoft said that disabling this service blocks the Web Distributed Authoring and Versioning (WebDAV) client service, which is a “likely remote attack vector.” WebDAV is an HTTP extension that allows clients to perform remote Web content authoring operations.

“After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet,” said Microsoft.

Another workaround is renaming ATMFD.DLL (the file name of Adobe Type Manager Font Driver), said Microsoft. The company also noted that for systems running supported versions of Windows 10, a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.

Microsoft said it is currently working on a fix and that a patch would likely come during its regularly scheduled Patch Tuesday updates (scheduled for April 14). posted