All currently supported versions of Microsoft Windows (server and desktop) are exposed to two new remote code execution (RCE) vulnerabilities which are being actively exploited in the wild in “limited targeted attacks” — and there’s no patch yet.

The new Windows 0days are in atmfd.dll: a kernel module that is provided by Windows and which provides support for OpenType fonts. (While known, in full, as “Adobe Type Manager Font Driver”, it is Microsoft’s code, not Adobe’s).

Security experts at France’s Orange Cyberdefense said if atmfd.dll was not present on a machine (it is not, apparently, on all) then mitigation was unnecessary. Computer Business Review could not immediately confirm this. Mitigations are urgent. 

Microsoft warned today of the flaws (base CVSS: 10) that “there are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane”.

It has posted a sweeping range of remediation options but suggested that a patch may not be ready until April 14’s “Patch Tuesday”. No credit for the disclosure was given; it was not immediately clear how the RCE’s were identified.

It is not the first time that atmfd.dll has been the cause of security woes: two early January 2018 vulnerabilities disclosed to Microsoft by Google’s Project Zero (CVE-2018-0754CVE-2018-0788) also entailed security flaws in the module: those two CVES (which involved how it handles objects in memory) required local access.

New Windows Vulnerability 

Microsoft said (ADV200006): “[The two RCEs exist] when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format…  For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.”

MSFT said: “Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.

Guidance on disabling these panes is available here.

Microsoft is aware of this vulnerability and working on a fix, the company said: “Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.”

See also: “A Sweetheart Deal, Done in Secret”: Intel and Micron Sued Over 3D XPoint