‘Limited Targeted Attacks’ Already Being Tracked by Technology Giant
Microsoft issued a warning this week that attackers are exploiting a pair of zero-day flaws in Windows that allow for remote code execution, which could enable a threat actor to take over an infected device.
Microsoft warned Tuesday that it had detected “limited targeted attacks” so far. It noted that a patch for these vulnerabilities will likely not be available until the company’s next Patch Tuesday release, which is scheduled for April 14. But it described workarounds that could be used in the meantime.
Attacks exploiting these flaws are targeting devices using Windows 7, and not newer versions of Windows, Microsoft reports. In January, the company announced that it was ending free updates and security fixes for Windows 7 as well as Office 2010 (see: Windows 7: Microsoft Ceases Free Security Updates).
Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing guidance to help reduce customer risk until the security update is released. See the link for more details. https://t.co/tUNjkHNZ0N
— Security Response (@msftsecresponse) March 23, 2020
Microsoft notes that these new zero-day vulnerabilities can effect Windows 10 and Windows 8 devices, but the threat of that is considered “low.”
The two zero-day flaws are located in the Adobe Type Manager Library, which allows Windows users to render different types of fonts, called PostScript Type 1, within their devices.
While Adobe makes versions of the Type Manager Library for both Windows and macOS, the Windows version improperly handles the PostScript Type 1 fonts, according to the alert. This opens up several avenues that attackers can exploit to run arbitrary code within a vulnerable Windows device.
“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane,” according to the Microsoft security alert.
A security alert from the Multi-State Information Sharing and Analysis Center, which was created by the U.S. Department of Homeland Security to voluntarily share cybersecurity information, states that depending on the privileges in the affected Windows systems, attackers exploiting the Windows zero day vulnerabilities could gain full user rights, which would then allow them to view, change and delete data as well as create new accounts within a vulnerable device.
The MS-ISAC alert adds that these zero-day vulnerabilities can affect large and small businesses, government agencies and home users.
Microsoft released a set of workarounds to help mitigate these two vulnerabilities. These include disabling the Preview pane and Details pane in Windows Explorer, disabling the WebClient service to prevent and block potential attempts to exploit these flaws, or renaming the Adobe Type Manager Font Drive file.
The MS-ISAC alert suggests that users limit the administrative privileges and run all software as a non-privileged user to reduce any potential threats.
As part of its March Patch Tuesday alert on March 10, Microsoft released fixes for several versions of Windows, including a different vulnerability that would allow remote code execution.
On March 13, Microsoft released a fix for a remote code execution vulnerability in recent versions of Windows 10 and Windows Server that allowed attackers to execute arbitrary code on vulnerable systems (see: Microsoft Patches Wormable SMBv3 Flaw)