Active Exploitation of Unpatched Windows Font Parsing Vulnerability

Last updated at Tue, 25 Apr 2023 22:27:52 GMT

Yesterday (March 23), Microsoft published details about two unpatched vulnerabilities in a font rendering technology in many versions of Microsoft Windows with a warning that Microsoft was aware of “limited, targeted attacks” leveraging the unpatched flaws. The vulnerability has different levels of impact depending on the target, installed software, and deployed mitigations. While the vulnerable code is present in Windows 7 through Windows Server 2019, active exploitation appears to be targeting specific Windows 7 users.

Vulnerability details: The two vulnerabilities exist when the library improperly handles a specially-crafted font in the Adobe Type 1 Postscript format. There are multiple attack vectors for leveraging the vulnerability by allowing these types of fonts to be processed—for instance, social engineering attacks that convince a user to open a file, or viewing a file through the Windows preview pane.

Affected versions include:

• All versions of Windows from 7 through Windows Server 2019

MSRC has released a set of recommended mitigations for this vulnerability.

Rapid7 analysis: This vulnerability requires a degree of precision from an attacker in order to successfully execute an attack. While it's couched as a remote code execution vulnerability, it does require that the user download and open or view a corrupted font file before exploitation is possible. Microsoft indicated in their advisory that targets of active exploitation were limited to Windows 7. This likely means that successful exploitation on newer operating systems is much more difficult. Mitigations present in Windows 10 and related operating systems prevent an affected application from escaping the Windows sandbox, limiting the blast radius of this attack.

Guidance for Rapid7 customers: The Microsoft Security Research Center (MSRC) has released a set of recommended mitigations for this vulnerability, which can be used as a stop-gap until a patch for this vulnerability is available.

The mitigation recommended by the MSRC may affect the behavior of some applications, but this will depend on individual environment configurations. Some mitigations may already be part of customers’ security policies, such as disabling the preview pane in Windows Explorer. This can also be implemented in Group Policy Objects (GPO) under User Configuration\Administrative Templates\Windows Components\File Explorer\Explorer Frame Pane.

Newer versions of Windows contain security mitigations and sandboxing technologies that can substantially increase the cost of developing a successful exploit, reducing the impact to users. Rapid7 recommends using currently-supported versions of Windows in order to provide additional protections against exploitation. While out-of-band advisories for unpatched vulnerabilities are always notable, it is important to recognize that their impact is substantially diminished through the use of up-to-date software and defense-in-depth.