Micropatch Released for Actively Exploited Windows Font Processing Vulnerabilities

Library were being actively exploited in the wild. The flaws concern how type 1 PostScript fonts are handled.

The flaws can be exploited if a user is convinced to open a specially crafted document; however, it is also possible to exploit the flaws if a document is viewed in the Windows preview pane.

The flaws affect Windows 10, Windows 8.1, Windows 7, Windows Server 2019, 2016, 2012, 2012 R2, 2008 and 2008 R2. Microsoft reports that only limited attacks have taken place to date.

Microsoft has published some recommended mitigations to reduce the risk of exploitation. These include disabling the Preview Pane, Details Pane and thumbnails in Windows Explorer, disabling the WebClient service, and renaming ATMFD.DLL, all of which have pros and cons.

While Microsoft has not confirmed when a patch will be released, it would appear that an out-of-band release will not be forthcoming, and the flaws will not be fixed until April Patch Tuesday. Microsoft will be issuing a patch for Windows 7 and Windows Server 2008 R2, but only for customers that have paid for extended support as the operating systems reached end of life in January.

No further information has been released by Microsoft about the flaws and there are no CVE codes; however, ACROS Security has developed a micropatch through its 0patch service that can prevent the flaws from being exploited.

The micropatch has been released for paying 0Patch customers only and will work for fully updated Windows 7 64-bit and Windows Server 2008 R2 without Extended Security Updates (ESU). ACROS Security has said it will port the fix to other affected Windows and Windows Server versions but is unlikely to release a micropatch for Windows 10, as the risk of exploitation on Windows 10 is greatly reduced.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news