Font File Fail: Critical Windows Zero-Day; Patch in 3 Weeks

Microsoft is warning Windows users about a new unpatched vulnerability being exploited in the wild. Deemed “critical,” the security bug is in an Adobe font-handling library that shipped with every version of Windows for at least a decade.

All that’s needed is for an attacker to make you open or preview a document. Then you’re pwned (although things aren’t so bad with later versions of Windows 10).

Microsoft refuses to patch Windows 7, unless you have expensive enterprise support. In today’s SB Blogwatch, we wait for Patch Tuesday, in mid-April.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: break time.


ODT ATM DLL RCE: WTF?

What’s the craic, Zack? Mister Whittaker reports—“Microsoft says hackers are attacking Windows users with a new unpatched bug”:

 Attackers are exploiting a previously undisclosed … vulnerability found in all supported versions of Windows. … There is currently no patch.

The security flaw, which Microsoft [gave] its highest severity rating, is found in how Windows handles and renders fonts. … Although Windows 7 is also affected, only enterprise users with extended security support will receive patches.

A spokesperson for Microsoft … suggested the patch would land on … April 14.

We have to wait how long? Shaun Nichols contextualizes—“It’s 2020 and hackers are still hijacking Windows PCs by exploiting font parser security holes”:

 Given that businesses, tied up with the coronavirus pandemic, may not be able to install patches across their fleets right now, outside of the Patch Tuesday cycle, Microsoft has decided to keep its cards close to its chest.

Should the number of attacks expand significantly beyond a “limited number,” we could see an emergency out-of-band update released sooner. Or at least you’d hope so.

And Dan Goodin adds—“There’s no patch. … Here’s what to do”:

 The phrase “limited targeted attacks” is frequently shorthand for exploits carried out by hackers carrying out espionage operations on behalf of governments. [But] new campaigns sometimes sweep larger and larger numbers of targets once awareness of the underlying vulnerabilities becomes more widespread.

The security flaw exists in the Adobe Type Manager Library, a Windows DLL file that a wide variety of apps use to manage and render fonts. … The vulnerability consists of two code-execution flaws that can be triggered by the improper handling of maliciously crafted master fonts in the Adobe Type 1 Postscript format.

Microsoft is suggesting users use one or more of the following workarounds:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient service
  • Rename ATMFD.DLL, or alternatively, disable the file from the registry

Head, meet desk. Microsoft explains itself—“ADV200006”:

 Updates that address security vulnerabilities in Microsoft software are typically released on … the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.

For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities. … Enhanced Security Configuration does not mitigate this vulnerability.

Seriously? A font file? This Anonymous Coward thinks clearly:

 If your OS can be pwned simply by opening a document sent in an email, your OS is not fit for purpose. Spam is an annoyance, not a security risk.

Tell me again why font files are actually executables? Here’s tlhIngan:

 Because the geometric shapes often need adjusting — for small sizes they may need to be “fattened” up so thin strokes don’t disappear into nothingness. When rendering the font on screen, perhaps it needs to be fattened so it will at least turn the pixel a solid color, again, keeping thin elements from being rasterized into background and making it hard to read.

Then there’s all sorts of other typographical things that can happen including leading and kerning. And do odd things like turn –> into an arrow shape, yet be perfectly editable as 3 separate characters.

Blame Microsoft? Not so fast, thinks Nilt:

 Ah, good old Adobe. The “gift” that keeps on giving, whether you like it or not.

But Hanno Böck—@hanno—is confused:

 Is it just me or is this Windows advisory really badly written and very confusing?

At the top it says it’s a vulnerability in type1 font parsing. Later on they say something about previews for OTF fonts. Isn’t OTF something different than type1?

Meanwhile, Iggy the Jiggy Piggy seems to speak for many:

  Go **** yourself Microsoft.

And Finally:

Working from home? Not all breaks are equal.

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Alexnewworld (Pixabay)

Richi Jennings

Featured eBook
The Bot Problem: Effective Detection, Analysis & Blocking

The Bot Problem: Effective Detection, Analysis & Blocking

Bots account for 50% of all web traffic. In the U.S. alone, threat actors will cause over $12 billion in losses by next year. How do companies fight against the ever-multiplying barrage of bot attacks from bad actors? Security experts across all industries face the same challenge: how do I improve defenses against bot-generated traffic? This ebook reveals ways ... Read More
Signal Sciences

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 148 posts and counting.See all posts by richi