Microsoft released workarounds to help fend off limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library.
Two remote code execution (RCE) vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font — Adobe Type 1 PostScript format. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.
Adobe Type Manager, which is provided by atmfd.dll, is a kernel module provided by Windows and provides support for OpenType fonts, according to the Microsoft advisory. Two vulnerabilities in the Microsoft Windows Adobe Type Manager library may allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system. This vulnerability affects all supported versions of Windows, as well as Windows 7. This vulnerability is undergoing exploitation.
By causing a Windows system to open a specially crafted document or view it in the Windows preview pane, an unauthenticated remote attacker may be able to execute arbitrary code with kernel privileges on a vulnerable system. Windows 10 based operating systems would execute the code with limited privileges, in an AppContainer sandbox.
While there is no immediate fix right now, Microsoft did issue workarounds:
One workaround is to rename ATMFD.DLL. This mitigation appears to be to the most effective workaround for this vulnerability, as it blocks the vulnerable code from being used by Windows. However, Windows 10 versions do not use ATMFD.DLL, this mitigation is not applicable
In addition, it is possible to disable the preview pane and details pane in Windows Explorer. Disabling the preview and details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.
Another workaround is to disable the WebClient service. Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.
When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the WebClient service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.
Click here for more information on the workarounds.