The Australian Cyber Security Centre (ACSC) is aware of Microsoft’s recent disclosure of two remote code execution (RCE) vulnerabilities in the Windows Adobe Type Manager Library. Microsoft reports that there is targeted exploitation of these vulnerabilities.
The vulnerabilities affect all supported versions of Windows and Windows Server. These vulnerabilities occur when Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.
There are a number of ways a malicious actor could exploit this vulnerability including crafting a malicious document for a user to open or view in the Windows Preview pane.
There is currently no CVE assigned, further details are available in Microsoft’s advisory.
Security updates for these vulnerabilities are not yet available, though are expected to be released on Wednesday 15 April 'Patch Tuesday' as part of the Microsoft security update cycle.
Since sophisticated malicious actors target unpatched operating systems and applications, the ACSC recommends organisations:
- implement Microsoft’s security advisory mitigation advice
- patch applications and operating systems as soon as possible in line with the Essential Eight Strategies to Mitigate Cyber Security Incidents.
Further information about this vulnerability can be found within Microsoft’s advisory.
To report a cybercrime, visit cyber.gov.au/report