News

Microsoft Warns of 'Critical' Flaw in Windows Preview Pane

Microsoft on Monday issued Security Advisory ADV200006 for a "Critical"-rated remote code execution vulnerability in both supported and unsupported Windows systems.

Update 3/25: Microsoft updated its security advisory on March 24 to indicate that the vulnerability is just rated "Important" for Windows 10, Windows Server 2016 and Windows Server 2019 systems. It's still rated "Critical" for older systems, though. "We do not recommend that IT administrators running Windows 10 implement the workarounds described below," the advisory explained.

The vulnerability, associated with the Adobe Type Manager Library in Windows systems, has been exposed to "limited, targeted attacks," per the advisory. The library "improperly handles a specially crafted multi-master font." This flaw can be exploited by "convincing a user to open a specially crafted document or viewing it in the Windows [Explorer] Preview pane."

There's no patch currently available. Microsoft's advisory offered three "workarounds" to implement, but they all have limitations.

The advisory suggested that patches, when available, would arrive on a normal "update Tuesday" patch release date, which happens on the second Tuesday of each month. The next update Tuesday date will be April 14.

All Windows systems are potentially subject to the flaw, including the unsupported Windows 7 and Windows Server 2008 operating systems, which lost support in January. However, Microsoft is planning to release patches for those older systems only for participants that paid into its Extended Security Updates program.

Newer Windows systems, such as Windows 10, are better protected against an exploit attempt because AppContainer technology limits what an attack can do.

"For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities," the advisory explained.

AppContainer is described in a Microsoft document as "isolating an application" away from "unneeded resources and other applications." User credentials can't be used to log in or gain access to other resources, according to the document.

The Cybersecurity and Infrastructure Security Agency (CISA), noting Microsoft's advisory in an alert, suggested that organizations apply Microsoft's mitigations and wait until the patches become available.

"A remote attacker can exploit these vulnerabilities to take control of an affected system," the CISA alert indicated. "Microsoft is aware of limited, targeted attacks exploiting these vulnerabilities in the wild."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.