Microsoft - ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

There is an important/Critical Microsoft Font vulnerability (still un-patched) that is affecting Adobe Type Manager Library.

There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially drafted document or viewing it in the Windows Preview panel with Explorer.


Here it is Microsoft Security Advisory (ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200006

About Patch release most probably it will be released on Microsoft Update Tuesday (the second Tuesday of each month)

Affected operative systems are below indicated, consider that windows 10, due to mitigations that were put in place with the first version released in 2015 is considered with low risk impact.

Please see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.

Microsoft recommends upgrading to the Windows 10 family of clients and servers.


Here they are O.S. impacted briefly indicated:


Product 
Impact 
Severity
Windows 10 All versions Remote Code Execution  Important
Windows 7 All versions Remote Code Execution  Critical
Windows 8,1 All versions Remote Code Execution  Critical
Windows RT 8.1 All versions Remote Code Execution  Critical
Windows Server 2008 & R2 All Versions Remote Code Execution  Critical
Windows Server 2012 e R2 All Versions Remote Code Execution  Critical
Windows Server 2016 All Versions Remote Code Execution  Important
Windows Server 2019 All versions Remote Code Execution  Important

Here they are workaround applicable (be Aware that about windows 10 these are deprecated):


Workaround Applicability
Disable the Preview Pane and Details Pane in Windows Explorer Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class
Disable the WebClient service Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class
Rename ATMFD.DLL Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases

In Microsoft Advisory ADV 200006 It is indicated how to disable wbeclient service to protect you against attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. 

Impact of workaround.

When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the WebClient service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.


Workaround effects and how to implement it is indicated in Microsoft advisory.

Consider that Windows 7  and Windows 2008 are no longer supported, it is highly probable that patch would not be available except for customers that subscribed extended patch support:

- Extended Security Update Program di Microsoft (ESU) windows 7
Extended Security Updates (ESU) Licensing Preparation Package for Windows 7 SP1 and Windows Server 2008 R2 SP1
- Extended Security Updates (ESU) Windows 2008 and 2008 R2 
Extended Security Updates (ESU) SQL 2008 and 2002 R2


[references articles]

https://www.cwi.it/cio/windows-server-2008-non-e-ancora-morto-ecco-perche_42124905 

https://www.hdblog.it/microsoft/articoli/n518582/windows-10-8-7-hacker-vulnerabilita-critica-patch/ 

https://www.hdblog.it/microsoft/articoli/n515774/windows-7-germania-costi-supporto/ 

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200006 


[Update 2020.04.15]


Microsoft released patches and new workarounds to mitigate problem:



https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020


Be aware about this information:

"Do I need an ESU license to receive the update for Windows 7, Windows Server 2008 and Windows Server 2008 R2 for this vulnerability?
Yes, to receive the security update for this vulnerability for Windows 7, Windows Server 2008, or Windows Server 2008 R2 you must have an ESU license. See 4522133 for more information."