Microsoft posted a new security advisory today (ADV200006), detailing what it’s calling “Type 1 Font Parsing Remote Code Execution Vulnerability.” They have given the vulnerability a “critical” severity rating, which is the highest severity rating Microsoft gives.
The flaw seems to stem from the Adobe Type Manager Library and deals with how Windows handles fonts. “Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format,” says Microsoft.
Microsoft is still working to fix the vulnerabilities. The earliest it will issue a patch is likely April 14th. Microsoft typically releases security updates on Update Tuesday, the second Tuesday of each month. In the meantime, there are a few workarounds, including disabling the preview pane and details pane in Windows Explorer. Microsoft has detailed the steps users should take here.
Currently, there are “limited targeted attacks” that Microsoft is aware of. The company is already working on a fix, but in the meantime you can mitigate the flaw. Microsoft recommends disabling the preview pane and disabling the WebClient service. Check out the security advisory for instructions for specific Windows versions.
Patches are typically released on Patch Tuesday (the second Tuesday of the month), but Microsoft does release emergency patches outside of that schedule for critical flaws. This could be one of those cases.
