Microsoft Warns of Critical Windows Zero-Day Flaws in the Adobe Type Manager Library

Attackers are exploiting a Windows flaw that allows malicious code to infiltrate fully updated systems.

Microsoft posted the new security advisory today (ADV200006), detailing what it’s calling “Type 1 Font Parsing Remote Code Execution Vulnerability.” They have given the vulnerability a “critical” severity rating, which is the highest severity rating Microsoft gives.

According to Microsoft, two remote code execution vulnerabilities exist in the way that Windows’ Adobe Type Manager Library handles certain fonts. Adobe Type Manager is a font management tool built into both Mac OS and Windows operating systems, and produced by Adobe. While no patches are available for the flaws, workaround mitigations can protect users.

There are multiple ways an attacker could exploit the vulnerabilities, Microsoft said. For example, an attacker could convince a user to open a specially crafted document or view it in the Windows Preview pane. Windows Preview pane is used by the Windows Explorer (which is called File Explorer in Windows 10) file manager application to preview pictures, video, and other content.

All currently-supported versions of Windows are affected, including Windows 10, as well as versions of Windows 7, Windows 8.1, Windows RT, Windows Server 2008, Windows Server 2012, Windows Server 2016 and Windows Server 2019. Windows 7 is also affected, though it has reached end of support, said Microsoft.

Although Microsoft did not share further details of the attacks that spurred this critical-level advisory, “limited targeted attacks” usually means that state-sponsored intelligence agencies are exploiting the flaws to compromise specific computer systems.

Microsoft said there’s no fix for the vulnerability at this moment. According to TechCrunch, a spokesman for Microsoft suggested the patch will arrive next Tuesday.

“Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers,” Microsoft says.