Microsoft Windows has been the attack of computer criminals following the discovery of a bug in the system which allows specially crafted documents to be used to deliver malware to the victim systems. The issue is tracked in the ADV200006 security advisory and affects both desktop and server editions of the operating system suite.
The ADV200006 Advisory Reveals How Microsoft Windows Computer Can Be Hacked By Crafted Documents
The possibility of intruding onto Microsoft Windows computers using documents has been revealed in a dangerous vulnerability. The weakness was found in the way fonts are managed by the operating system. Since the initial discovery of the problem in April this year the has produced fixes for all modern versions of Microsoft Windows. The advisory which is applied to the issue is called ADV20000: Type 1 Font Parsing Remote Code Execution Vulnerability. The issue was found to be contained in a library called Windows Adobe Type Manager which is used by the operating system in order to handle PostScript Type 1 fonts. They are used by office programs and graphics editing software in order to display a certain type of founts and in order to show them in preview panels and other auxiliary software.
When exploited by the affected programs the vulnerability will allow attackers to conduct remote code execution leading to infection with viruses, files corruption and other dangerous activity. The criminals will need to create special fonts that are created in a way which will trigger the bug. There are several ways through which this can be done — the users can be sent phishing messages that include documents containing the hacker-made fonts or sending out files that are then viewed using the Windows Preview pane, once again containing the devised fonts.
Microsoft has released updates for this advisory as part of a subsequent advisory release tracked in CVE-2020-1020. We advise all Microsoft Windows users to apply all latest security updates in order to stay safe. As the bug was rated as dangerous the company provided temporary mitigation until the fix was released.