author photo
By Bruce Sussman
Mon | Mar 23, 2020 | 12:41 PM PDT

As if your security team doesn't have enough going on with a massive shift to remote work. Now Microsoft is warning of a new Zero-Day exploit being used in the wild.

Currently, it's an exploit without a patch.

New Windows exploit in the wild

It relates to Adobe Type Manager and remote code execution (RCE) in Windows. Here is what Microsoft said today in its security alert:

Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released.

Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.

There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.

Microsoft is aware of this vulnerability and working on a fix.

For a list of operating system versions that are affected by this vulnerability and mitigation workarounds, see Microsoft Security Advisory ADV200006

Related podcast: how bug bounties become security patches

White hat hacking is more than good for security; it is good for the pocketbook if you are into security research, even as a side hustle.

We interviewed Brian Gorenc, Director of the Zero Day Initiative, which is the world's largest vendor agnostic bug bounty program. Listen to the episode below, or on your favorite podcast app by searching for "SecureWorld" on that platform.
 

Comments