Security Alert - Microsoft Font Parsing Remote Code Vulnerability
Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font (Adobe Type 1 PostScript format). These vulnerabilities are present in all supported Windows operating systems: Windows 7, 8, 8.1, 10, Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019.
Exploitation of the vulnerabilities require a remote attacker to convince a user to open a specially crafted document or view it in the Windows Preview pane.
Microsoft is aware of targeted Windows 7 based attacks that leverage these vulnerabilities. For systems running Windows 10, Server 2016, and Server 2019 the threat of these vulnerabilities is low due to previous mitigations put in place by Microsoft in 2015.
Microsoft has not yet released security updates to patch affected systems, but has released suggested workaround mitigations. Once security updates are available, an ESU (Extended Security Updates) license will be re