Skip to main content

Security Alert: Microsoft Font Parsing Remote Code Vulnerability

Date:
2020-03-24 23:42:00
Status:
Closed
Brief Description:
Microsoft security advisory: ADV200006 - Type 1 Font Parsing Remote Code Execution Vulnerability. A remote attacker could exploit this vulnerability to execute remote code on a vulnerable server or client. Updates are NOT yet available.
Current Status:
ITSO recommends implementing Microsoft's workaround mitigations until patches are available on or around April 14th. Please note, Microsoft's guidance is to not apply the mitigations to the Windows 10 family of clients and servers. The ITSO recommends administrators follow that guidance for their systems.

Final Update - As of April 14th, Microsoft has not yet released patches for this vulnerability. The worst effects of this vulnerability are against operating systems that are end of life per Microsoft's software life cycle. This primarily concerns Windows 7 and Windows Server 2008 R2 systems, though other older operating systems are also affected. The ITSO recommends implementation of the mitigations provided by Microsoft and to purchase extended security updates (ESU) for Windows 7 and Windows Server 2008 R2 system. Systems with an ESU license, would likely be eligible for any future patch Microsoft releases.
Services Affected:
Not Applicable
Full Description:
Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font (Adobe Type 1 PostScript format). These vulnerabilities are present in all supported Windows operating systems: Windows 7, 8, 8.1, 10, Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019.

Exploitation of the vulnerabilities require a remote attacker to convince a user to open a specially crafted document or view it in the Windows Preview pane.

Microsoft is aware of targeted Windows 7 based attacks that leverage these vulnerabilities. For systems running Windows 10, Server 2016, and Server 2019 the threat of these vulnerabilities is low due to previous mitigations put in place by Microsoft in 2015.

Microsoft has not yet released security updates to patch affected systems, but has released suggested workaround mitigations. Once security updates are available, an ESU (Extended Security Updates) license will be required to receive the patches for: Windows 7, Windows Server 2008 and Windows Server 2008 R2.

The IT Security Office recommends applying Microsoft's workaround mitigations to any affected system. Note: Microsoft's guidance is to not apply the mitigations to the Windows 10 family of clients and servers. The ITSO recommends administrators follow that guidance for their systems. The steps to implement these workarounds are outlined in the external link below. Patches are expected to be released on April 14th, at which point immediate patching is also recommended.

For customers of CIT's Managed Server Service - The Managed Server Team will be issuing their own statement to affected customers.

External Links to more information: Microsoft Security Advisory - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200006#ID0EGB