Microsoft warns that hackers are exploiting two unpatched Windows bugs
Microsoft has warned that all versions of Windows feature critical unpatched RCE vulnerabilities. The security problems stem from the Windows Adobe Type Manager Library, and relates to the parsing of fonts.
The company is working on a fix which will be released when the next Patch Tuesday rolls around -- but for Windows 7 users, despite the critical nature of the bugs, it is only those who have paid for an ESU licence that will get the security update. There is a bit of good news, however. While the vulnerability is yet to be patched, there is a workaround available that will do the job for the time being.
See also:
- Security warning: Microsoft has broken Windows Defender with an update for Windows 10
- Microsoft teases new Windows 10 UI including updated Start menu
- Microsoft is delaying end of service for Windows 10 version 1709 because of coronavirus
The workarounds are not proper fix, however, and there are side-effects to using them -- specifically Windows will not be able to preview OTF fonts, and WebDAV requests are not transmitted. Describing the vulnerabilities, Microsoft says that it "is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library".
It the security advisory (ADV200006), the company goes on to say:
Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.
There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.
In the advisory about the vulnerabilities, Microsoft offers workarounds. If you're using Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 or Windows 8.1, using the following steps to disable the Preview and Details panes in Windows Explorer:
- Open Windows Explorer, click Organize, and then click Layout.
- Clear both the Details paneand Preview pane menu options.
- Click Organize, and then click Folder and search options.
- Click the View
- Under Advanced settings, check the Always show icons, never thumbnails
- Close all open instances of Windows Explorer for the change to take effect.
There are similar, but slightly different, steps for Windows Server 2016, Windows 10 and Windows Server 2019:
- Open Windows Explorer, click the View
- Clear both the Details paneand Preview pane menu options.
- Click Options, and then click Change folder and search options.
- Click the View
- Under Advanced settings, check the Always show icons, never thumbnails
- Close all open instances of Windows Explorer for the change to take effect.
Microsoft also advises uses to disable the WebClient service:
- Click Start, click Run(or press the Windows Key and R on the keyboard), type msc and then click OK.
- Right-click WebClientservice and select Properties.
- Change the Startup type to Disabled. If the service is running, click Stop.
- Click OKand exit the management application.
Image credit: spatuletail / Shutterstock