Show vulnerabilities with patch / with exploit
24 March 2020

Hackers actively target two unpatched RCE-vulnerabilities in Windows


Hackers actively target two unpatched RCE-vulnerabilities in Windows

Microsoft has released an alert warning of targeted attacks actively exploiting two zero-day remote code execution (RCE) vulnerabilities affecting the Windows Adobe Type Manager Library. The flaws impact all supported versions of Windows, as well as Windows 7, which reached end of life in January this year.

“Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released”, the tech giant says.

According to Microsoft, the two RCE-flaws exist due to a way the Windows Adobe Type Manager Library handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. The vulnerabilities could be exploited by tricking a user into opening a specially crafted document, or viewing it in the Windows Preview pane.

Rated as ‘Critical’, the vulnerabilities affect devices running desktop and server Windows versions, including Windows 10, Windows 8.1, Windows 7, and multiple versions of Windows Server.

“For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities,” the company says.

Currently, Microsoft is working on a patch to address the issues. As the company noted, updates to address security vulnerabilities are usually released as part of Update Tuesday, typically scheduled for the second Tuesday of every month. This means, in theory, the next monthly batch of security updates is scheduled for April 14th.

Meanwhile, the Redmond company provided a temporary workaround to reduce the risk of attacks exploiting the above mentioned flaws. The company recommends to disable the Preview Pane and Details Pane in Windows Explorer to prevent the automatic display of OTF fonts.

Back to the list

Latest Posts

Vulnerability summary for the week: March 27, 2020

Vulnerability summary for the week: March 27, 2020

Weekly vulnerability digest.
27 March 2020
Unpatched iOS bug prevents VPN apps from encrypting all traffic

Unpatched iOS bug prevents VPN apps from encrypting all traffic

Affected versions of iOS fail to close existing internet connections when a user connects to a VPN.
27 March 2020
Rare BadUSB attack detected in the wild

Rare BadUSB attack detected in the wild

This case is a perfect example of how simple social engineering, a Best Buy gift card, and an BadUSB device could be used to compromise a company.
27 March 2020