CVE-2020-0938: Adobe Font Manager Library Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Actively Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Apr

Released

2020-04-14

Last Updated

2020-04-14

EPSS Score

87.02% (percentile: 99.4%)

CISA KEV

Listed — due 2022-05-03

Description

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.

FAQ

Is Microsoft aware of attacks that attempt to leverage this vulnerability? Yes, Microsoft is aware of limited, targeted attacks that attempt to leverage this vulnerability. Do I need an ESU license to receive the update for Windows 7, Windows Server 2008 and Windows Server 2008 R2 for this vulnerability? Yes, to receive the security update for this vulnerability for Windows 7, Windows Server 2008, or Windows Server 2008 R2 you must have an ESU license. See 4522133 for more information. Why is this update not being released for all Windows 7 customers? Windows 7 reached end of support on January 14, 2020. For more information on Microsoft lifecycle policies, please visit Life Cycle. Is the Outlook Preview Pane an attack vector for this vulnerability? No, the Outlook Preview Pane is NOT an attack vector for this vulnerability Is the Windows Explorer Preview Pane an attack vector for this vulnerability? Yes, the Windows Explorer Preview Pane is an attack vector for this vulnerability Is Enhanced Security Configuration, which is on by default on Windows Servers, a mitigation for this vulnerability? No, Enhanced Security Configuration does not mitigate this vulnerability.

Affected Products (41)

Windows

• Windows 10 Version 1803 for 32-bit Systems
• Windows 10 Version 1803 for x64-based Systems
• Windows Server, version 1803 (Server Core Installation)
• Windows 10 Version 1803 for ARM64-based Systems
• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 1809 for ARM64-based Systems
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows 10 Version 1909 for 32-bit Systems
• Windows 10 Version 1909 for x64-based Systems
• Windows 10 Version 1909 for ARM64-based Systems
• Windows Server, version 1909 (Server Core installation)
• Windows 10 Version 1709 for 32-bit Systems
• Windows 10 Version 1709 for x64-based Systems
• Windows 10 Version 1709 for ARM64-based Systems
• Windows 10 Version 1903 for 32-bit Systems
• Windows 10 Version 1903 for x64-based Systems
• Windows 10 Version 1903 for ARM64-based Systems
• Windows Server, version 1903 (Server Core installation)
• Windows 10 for 32-bit Systems
• Windows 10 for x64-based Systems
• Windows 10 Version 1607 for 32-bit Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows 8.1 for 32-bit systems
• Windows 8.1 for x64-based systems
• Windows RT 8.1
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

ESU

• Windows 7 for 32-bit Systems Service Pack 1
• Windows 7 for x64-based Systems Service Pack 1
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Security Updates (14)

• 4550922
• 4549949
• 4549951
• 4550927
• 4550930
• 4550929
• 4550964
• 4550965
• 4550961
• 4550970
• 4550951
• 4550957
• 4550917
• 4550971

Acknowledgments

Liubenjin and Zhiyi Zhang from Codesafe Team of Legendsec at Qi'anxin Group, Google: Project Zero and Threat Analysis Group

Revision History

• 2020-04-14: Information published.
• 2020-04-14: Updated FAQ information. This is an informational change only.