Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability

Published: 2020-03-23
Last Updated: 2020-03-24 01:22:42 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Microsoft announced limited exploitation of a zeroday remote code execution vulnerability in the type 1 font parser.

There are two RCE vulnerabilities in Windows Adobe Type Manager Library on Windows system, when parsing Adobe Type 1 PostScript format. There are multiple attack vectors, like documents.

Microsoft is working on a patch.

Following mitigation actions can be taken:

  • Disable the Preview Pane and Details Pane in Windows Explorer
  • Disable the WebClient service
  • Rename ATMFD.DLL


Remark that Microsoft points out the following in its advisory:

For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.


Update: I can't find ATMFD.DLL on any of the Windows 10 machines I have access to, unless it's a version older than 1809. This DLL must have been removed when upgrading to 1809, and this could explain Microsoft's remark about supported version of Windows 10 and AppContainer sandboxes (1803 and older are no longer supported).

Update 2: Microsoft has updated the advisory to version 1.1, confirming that ATMFD.DLL (a kernel mode font driver) has been replaced by FONTDRVHOST.exe running in an AppContainer. In other words, this vulnerability that is inside kernelmode font parsing code in Windows 7, 8 and older versions of Windows 10, is no longer inside the kernel but in an AppContainer with limited privileges.


Microsoft advisory ADV200006

Didier Stevens
Senior handler
Microsoft MVP

Keywords: font windows zeroday
0 comment(s)


Diary Archives