Monday 6 April 2020

Critical Flaw in Windows Preview Pane

Microsoft on 23/3/2020 issued Security Advisory ADV200006 for a "Critical"-rated remote code execution vulnerability in both supported and unsupported Windows systems.

Microsoft updated its security advisory on March 24 to indicate that the vulnerability is just rated "Important" for Windows 10, Windows Server 2016 and Windows Server 2019 systems. It's still rated "Critical" for older systems, though. "We do not recommend that IT administrators running Windows 10 implement the workarounds described below," the advisory explained.

The vulnerability, associated with the Adobe Type Manager Library in Windows systems, has been exposed to "limited, targeted attacks," per the advisory. The library "improperly handles a specially crafted multi-master font." This flaw can be exploited by "convincing a user to open a specially crafted document or viewing it in the Windows [Explorer] Preview pane."

There's no patch currently available. Microsoft's advisory offered three "workarounds" to implement, but they all have limitations.

More info & sources: Microsoft, Redmond