-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
Critical RCE in Windows' Adobe Type Manager Library (ATMFD)
announced out of cycle
25 March 2020
AusCERT Security Bulletin Summary
Product: Windows 10
Windows RT 8.1
Windows Server 2008
Windows Server 2012
Windows Server 2016
Windows Server 2019
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Member content until: Thursday, April 23 2020
Revision History: March 25 2020: Added MS note - mitigation not recommended
on Windows 10
March 24 2020: Initial Release
Microsoft has published information about a critical vulnerability
in Windows, in the Windows Adobe Type Manager Library, enabling
remote code execution when viewing a file containing crafted fonts.
Microsoft advises that there are "limited targeted attacks" in the wild,
exploiting this vulnerability.
Microsoft are working on an out-of-band patch, but for now only
mitigation steps are available.
UPDATE: Microsoft is not aware of any attacks against the
Windows 10 platform and does not recommend implementing the
provided workarounds on Windows 10.
"Two remote code execution vulnerabilities exist in Microsoft Windows
when the Windows Adobe Type Manager Library improperly handles
a specially-crafted multi-master font - Adobe Type 1 PostScript format."
"There are multiple ways an attacker can exploit the vulnerability,
such as convincing a user to open a specially crafted document
or viewing it in the Windows Preview pane." 
"Microsoft is aware of this vulnerability and working on a fix." 
This fix will likely be released before the next Patch Tuesday,
which is scheduled for April 14th.
In the meantime, Microsoft has published mitigation instructions
which involve disabling affected features in the Windows Explorer
file browser, disabling the WebClient service, and optionally disabling
the whole Adobe Type Manager Font Driver (ATMFD) DLL. 
 Windows: Type 1 Font Parsing Remote Code Execution Vulnerability
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----