Windows has a zero-day that won’t be patched for weeks

Cybercriminals are exploiting two unpatched zero-day flaws affecting all supported versions of Windows, Microsoft has warned.

The Remote Code Execution (RCE) vulnerabilities affect Adobe Type Manager (ATM) Library, the part of Windows that manages PostScript Type 1 fonts.

For now, there are no CVE identifiers and the only confirmed details are in Microsoft’s warning:

Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library and is providing the following guidance to help reduce customer risk until the security update is released.

Attackers could exploit the flaw by persuading users to open a malicious document. Importantly, however, the same danger would arise even if users viewed that document using the Windows Explorer file manager preview pane.

The latter is significant because, for now, there’s no software fix, which could be as far away as the next Patch Tuesday update, scheduled for 14 April 2020:

Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.

Until then, the only countermeasure is to use one of the recommended workarounds, which involves disabling Explorer’s preview and details pane.

This can be achieved as follows:

  1. Open Windows Explorer, click the View tab (Organize and Layout on older systems).
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Options (or Organize), and then click Change folder and search options.
  4. Click the View tab.
  5. Under Advanced settings, check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Disabling the WebClient service should also block the most likely attack route, Microsoft said:

  1. Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
  2. Right-click WebClient service and select Properties.
  3. Change the Startup type to Disabled. If the service is running, click Stop.
  4. Click OK and exit the management application.

Renaming atmfd.dll was another mitigation for versions of Windows before Windows 10 1709, with instructions on how to do this for different older versions covered in the advisory.

This workaround might affect OpenType fonts which although not part of Windows are used by some third-party applications.

The affected versions of Windows include 32-bit and 64-bit versions of Windows 10 (1607, 1709, 1803, 1809, 1903, 1909), Windows 8.1, Windows 7, and Windows Servers 2008, 2012, 2016 and 2019, including Server Core installations.

Importantly, Windows 7 users whose installations lack an Extended Security Updates (ESU) agreement won’t receive patches for these flaws (Windows 7 reached end of life on 14 January 2020).

Why is Microsoft patching Adobe Type Manager?

The short answer is because this vulnerability has nothing to do with Adobe – despite its name, ATM has long been part of Windows itself, and is maintained by Microsoft under a license agreement that presumably requires it to name-check Adobe.

This is the third time in a matter of weeks Microsoft has faced having to patch a Windows zero day after running into some timing problems over patching.

February’s Patch Tuesday saw a fix for an Internet Explorer flaw (CVE-2020-0674), a zero-day which had been exploited in “limited attacks” dating back to January.

And earlier this month, Microsoft scrambled to patch the ‘SMBGhost’ vulnerability (CVE-2020-0796), news of which leaked accidentally into the public domain.


Latest Naked Security podcast

go top