All Supported Windows Versions Affected by Two Actively Exploited Zero-Day RCE Flaws

Microsoft has issued a security advisory about two actively exploited zero-day flaws in Windows Adobe Type Manager Library. The critical remote code execution vulnerabilities affect all supported Windows desktop and server versions and Windows 7. If exploited, attackers would be able to take full control of vulnerable computers.

The flaws are being exploited in limited targeted attacks. Microsoft is currently working on a patch to correct the flaws, but a permanent fix is unlikely to be released until Patch Tuesday on April 14. In the meantime, Microsoft has suggested workarounds that can be implemented to reduce the risk of exploitation.

According to Microsoft’s security advisory, the flaws are present in the Windows Adobe Type Manager Library and are due to improper handling of a specially-crafted multi-master font – Adobe Type 1 PostScript format. The flaws can be exploited by convincing a user to open a specially crafted document, but the flaws could also be exploited if a user views the document in the Windows Preview pane.

On Windows 10, it is only possible to remotely execute code with limited privileges and capabilities within an AppContainer sandbox. That would be sufficient to install programs and view, change, or delete data. It would also be possible for new accounts to be created with full user rights.

Steps that can be taken to reduce the potential for exploitation are detailed in the security advisory and include:

Disabling the Preview and Details panes in Windows Explorer. This will prevent OTF fonts from being automatically displayed. This mitigation will protect against remote attacks but will not prevent a local user from exploiting the vulnerability using a specially crafted program.

Disabling the WebClient service is also advisable, as this will prevent attacks through the WebDAV client service. This workaround is only a partial fix. According to Microsoft, “After applying this workaround, it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.”

Microsoft also recommends that users rename the Adobe Type Manager Font Driver (ATMFD.dll) file, as this will temporarily disable embedded fonts. However, this workaround may cause certain applications to stop functioning correctly.

When the patch is released, users are advised to update as soon as possible. Users of Windows 7, Windows Server 2008, or Windows Server 2008 R2 will only receive a patch to correct the vulnerabilities if they have paid for extended support.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of