News

Windows Preview Pane Hit with 'Critical' Remote Code Execution Flaw

• By Kurt Mackie
• 03/24/2020

A "Critical"-rated remote code execution vulnerability in both supported and unsupported Windows systems has been exposed to "limited, targeted attacks," Microsoft warned in a security advisory this week.

Update 3/25: Microsoft updated its security advisory on March 24 to indicate that the vulnerability is just rated "Important" for Windows 10, Windows Server 2016 and Windows Server 2019 systems. It's still rated "Critical" for older systems, though. "We do not recommend that IT administrators running Windows 10 implement the workarounds described below," the advisory explained.

The vulnerability is associated with the Adobe Type Manager Library in Windows systems. The library "improperly handles a specially crafted multi-master font." This flaw can be exploited by "convincing a user to open a specially crafted document or viewing it in the Windows [Explorer] Preview pane."

There's no patch currently available. Microsoft's advisory offered three "workarounds" to implement, but they all have limitations.

The advisory suggested that patches, when available, would arrive on a normal "update Tuesday" patch release date, which happens on the second Tuesday of each month. The next update Tuesday date will be April 14.

All Windows systems are potentially subject to the flaw, including the unsupported Windows 7 and Windows Server 2008 operating systems, which lost support in January. However, Microsoft is planning to release patches for those older systems only for participants that paid into its Extended Security Updates program.

Newer Windows systems, such as Windows 10, are better protected against an exploit attempt because AppContainer technology limits what an attack can do.

"For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities," the advisory explained.

AppContainer is described in a Microsoft document as "isolating an application" away from "unneeded resources and other applications." User credentials can't be used to log in or gain access to other resources, according to the document.

The Cybersecurity and Infrastructure Security Agency (CISA), noting Microsoft's advisory in an alert, suggested that organizations apply Microsoft's mitigations and wait until the patches become available.

"A remote attacker can exploit these vulnerabilities to take control of an affected system," the CISA alert indicated. "Microsoft is aware of limited, targeted attacks exploiting these vulnerabilities in the wild."