Microsoft announced limited exploitation of a zeroday remote code execution vulnerability in the type 1 font parser.
There are two RCE vulnerabilities in Windows Adobe Type Manager Library on Windows system, when parsing Adobe Type 1 PostScript format. There are multiple attack vectors, like documents.
Microsoft is working on a patch.
Following mitigation actions can be taken:
Remark that Microsoft points out the following in its advisory:
Update: I can't find ATMFD.DLL on any of the Windows 10 machines I have access to, unless it's a version older than 1809. This DLL must have been removed when upgrading to 1809, and this could explain Microsoft's remark about supported version of Windows 10 and AppContainer sandboxes (1803 and older are no longer supported).
Update 2: Microsoft has updated the advisory to version 1.1, confirming that ATMFD.DLL (a kernel mode font driver) has been replaced by FONTDRVHOST.exe running in an AppContainer. In other words, this vulnerability that is inside kernelmode font parsing code in Windows 7, 8 and older versions of Windows 10, is no longer inside the kernel but in an AppContainer with limited privileges.
Microsoft advisory ADV200006
Mar 24th 2020
2 months ago