Platform Security Briefing — Microsoft warns of Type 1 Font parsing zero-day (ADV200006)
Microsoft’s ADV200006 advisory warns of two Type 1 font parsing RCEs (CVE-2020-1020, CVE-2020-0938) exploited in the wild, requiring immediate patching, EMET-style mitigations, and hardened document-handling controls to close pre-auth attack paths.
Executive briefing: Microsoft published ADV200006 on for two remote code execution flaws (CVE-2020-1020 and CVE-2020-0938) in how Windows handles Type 1 fonts via the Adobe Type Manager Library. Microsoft confirmed limited, targeted exploitation prior to patches, prompting immediate deployment of March and April 2020 security updates and temporary mitigations such as preview pane disablement.
Validated sources
- Microsoft advisory ADV200006 detailing affected Windows builds, known exploitation, and mitigation steps.
- MSRC CVE-2020-1020 entry confirming pre-auth RCE impact and patch availability via monthly rollups.
- MSRC CVE-2020-0938 entry listing the same attack surface and required updates for supported versions.
Control mappings
- NIST SP 800-53 Rev.5 SI-2 & RA-5: Apply timely remediation and vulnerability scanning to confirm the font parsing patches land across managed endpoints.
- CIS Controls v8 7.3 & 16.13: Validate automatic update configurations and enforce email/web controls to block untrusted document execution while remediation is underway.
- ISO/IEC 27001:2022 Annex A.8.8: Maintain secure configuration baselines that disable unnecessary preview handlers and enforce least privilege on font libraries.
Implementation checklist
- Deploy the March and April 2020 cumulative updates or Extended Security Updates where applicable; confirm via WSUS or Endpoint Manager compliance reports.
- Disable the Windows Explorer preview pane and WebClient service on unpatched systems to remove common attack vectors, as recommended in ADV200006.
- Harden document workflows: strip embedded fonts in email gateways, sandbox inbound documents, and monitor for abnormal fontdrvhost.exe or splwow64.exe behavior.
- Inventory unsupported Windows 7 or Server 2008 systems and isolate them with application allowlists and limited network egress until decommissioned.
- Run targeted detection for known exploit indicators (suspicious font files dropped in %TEMP%, anomalous crashes in ATMFD.dll) and feed results into incident response.
Exposure and risk considerations
- Because Type 1 font parsing executes at the Windows kernel level, successful exploitation can yield SYSTEM privileges without user awareness; prioritize high-value endpoints and VDI images.
- Organizations that allow embedded fonts in PDF workflows or marketing content face higher likelihood of exploit delivery; tighten content filtering during remediation.
- Legacy applications that rely on Adobe Type Manager are common on design or print servers; validate these workloads receive patches and monitoring before being brought back online.
- Document business impact for any mitigations that disable preview functionality so exceptions are temporary and tracked against patch availability.
Verification and assurance steps
- Confirm gold images and deployment templates include the fixed ATMFD.dll versions; hash-check binaries during build pipelines to prevent regression.
- Use vulnerability scanners to validate CVE-2020-1020 and CVE-2020-0938 closure and export reports for audit evidence.
- Collect EDR telemetry for font parsing crashes or exploit chains and retain at least 30 days of logs while monitoring continues.
- Review exception approvals weekly and require business owners to reaffirm compensating controls until the systems are patched or retired.