Microsoft released a security advisory stating that they are aware of a Type 1 font parsing remote code execution (RCE) vulnerability affecting all versions of Windows, including Windows Server. The bugs exist when Adobe Type Manager Library improperly handles a specifically crafted multi-master font Adobe Type 1 PostScript format. Attackers could exploit this vulnerability by tricking a user into opening a specially crafted document or using the Windows Preview pane to view the document. As of now, there is no patch for this vulnerability, and it is not expected to be released until Microsoft’s next patch Tuesday on April 14, 2020. Microsoft is currently aware that there are limited targeted attacks that could leverage these vulnerabilities in Adobe Type Manager.
It is important to note that this vulnerability affects all versions of Windows, but no patch will be released for Windows 7 because support for that version ended on January 14, 2020. Microsoft’s security release contains mitigations and workarounds that can currently be implemented until a patch is released for supported versions. Until a patch is released, it is especially important to be on the lookout for phishing email messages with attached or linked document files that could exploit this vulnerability. It is also important to monitor workstations and servers for unusual activity that could signal attacker behaviors, including programs being launched as a result of documents viewed in the Windows Preview pane. When a patch is released for a newly found vulnerability it is important that it gets installed as soon as practical after testing, as it will help ensure that attackers cannot exploit the vulnerability moving forward. Many attackers prey on those who do not patch their systems and use old and outdated software. The report from Microsoft with workarounds and mitigations can be found here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006
Additional reporting can be found at these news sources: