View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 23, 2020updated 24 Mar 2020 3:02pm

Two Critical New Windows 0Days Being Actively Exploited – No Patch Yet

Vulnerabilities are in atmfd.dll: a kernel module provided by Windows

By CBR Staff Writer

All currently supported versions of Microsoft Windows (server and desktop) are exposed to two new remote code execution (RCE) vulnerabilities which are being actively exploited in the wild in “limited targeted attacks” — and there’s no patch yet.

The new Windows 0days are in atmfd.dll: a kernel module that is provided by Windows and which provides support for OpenType fonts. (While known, in full, as “Adobe Type Manager Font Driver”, it is Microsoft’s code, not Adobe’s).

Security experts at France’s Orange Cyberdefense said if atmfd.dll was not present on a machine (it is not, apparently, on all) then mitigation was unnecessary. Computer Business Review could not immediately confirm this. Mitigations are urgent. 

Microsoft warned today of the flaws (base CVSS: 10) that “there are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane”.

It has posted a sweeping range of remediation options but suggested that a patch may not be ready until April 14’s “Patch Tuesday”. No credit for the disclosure was given; it was not immediately clear how the RCE’s were identified.

It is not the first time that atmfd.dll has been the cause of security woes: two early January 2018 vulnerabilities disclosed to Microsoft by Google’s Project Zero (CVE-2018-0754CVE-2018-0788) also entailed security flaws in the module: those two CVES (which involved how it handles objects in memory) required local access.

New Windows Vulnerability 

Microsoft said (ADV200006): “[The two RCEs exist] when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format…  For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.”

MSFT said: “Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.

Guidance on disabling these panes is available here.

Microsoft is aware of this vulnerability and working on a fix, the company said: “Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.”

See also: “A Sweetheart Deal, Done in Secret”: Intel and Micron Sued Over 3D XPoint



Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.