Microsoft warns of Type 1 Font parsing zero-day (ADV200006)

Microsoft published ADV200006 on 23 March 2020 for two remote code execution flaws (CVE-2020-1020 and CVE-2020-0938) in how Windows handles Type 1 fonts via the Adobe Type Manager Library. Microsoft confirmed limited, targeted exploitation before patches, prompting immediate deployment of March and April 2020 security updates and temporary mitigations such as preview pane disablement.

Validated sources

• Microsoft advisory ADV200006 detailing affected Windows builds, known exploitation, and mitigation steps.
• MSRC CVE-2020-1020 entry confirming pre-auth RCE impact and patch availability via monthly rollups.
• MSRC CVE-2020-0938 entry listing the same attack surface and required updates for supported versions.

Control mappings

• NIST SP 800-53 Rev.5 SI-2 & RA-5: Apply timely remediation and vulnerability scanning to confirm the font parsing patches land across managed endpoints.
• CIS Controls v8 7.3 & 16.13: Validate automatic update configurations and enforce email/web controls to block untrusted document execution while remediation is underway.
• ISO/IEC 27001:2022 Annex A.8.8: Maintain secure configuration baselines that disable unnecessary preview handlers and enforce least privilege on font libraries.

Implementation checklist

• Deploy the March and April 2020 cumulative updates or Extended Security Updates where applicable; confirm via WSUS or Endpoint Manager compliance reports.
• Disable the Windows Explorer preview pane and WebClient service on unpatched systems to remove common attack vectors, as recommended in ADV200006.
• Harden document workflows: strip embedded fonts in email gateways, sandbox inbound documents, and monitor for abnormal fontdrvhost.exe or splwow64.exe behavior.
• Inventory unsupported Windows 7 or Server 2008 systems and isolate them with application allowlists and limited network egress until decommissioned.
• Run targeted detection for known exploit indicators (suspicious font files dropped in %TEMP%, anomalous crashes in ATMFD.dll) and feed results into incident response.

Exposure and risk considerations

• Because Type 1 font parsing executes at the Windows kernel level, successful exploitation can yield SYSTEM privileges without user awareness; focus on high-value endpoints and VDI images.
• Organizations that allow embedded fonts in PDF workflows or marketing content face higher likelihood of exploit delivery; tighten content filtering during remediation.
• Legacy applications that rely on Adobe Type Manager are common on design or print servers; validate these workloads receive patches and monitoring before being brought back online.
• Document business impact for any mitigations that disable preview functionality so exceptions are temporary and tracked against patch availability.

Verification and assurance steps

• Confirm gold images and deployment templates include the fixed ATMFD.dll versions; hash-check binaries during build pipelines to prevent regression.
• Use vulnerability scanners to validate CVE-2020-1020 and CVE-2020-0938 closure and export reports for audit evidence.
• Collect EDR telemetry for font parsing crashes or exploit chains and retain at least 30 days of logs while monitoring continues.
• Review exception approvals weekly and require business owners to reaffirm compensating controls until the systems are patched or retired.

Attack Vector Analysis

The Type 1 font vulnerabilities exploit the Adobe Type Manager Library (ATMFD.dll) which Windows uses to render certain font formats. Attackers can deliver malicious fonts through multiple vectors: embedded fonts in documents, web pages referencing malicious font files, or font files stored in accessible directories that Windows Explorer previews.

Document-based attacks represent the most likely exploitation path. Malicious documents containing specially crafted Type 1 fonts trigger the vulnerability when opened or previewed. Email-delivered documents and downloaded files from compromised websites serve as primary delivery mechanisms.

Preview pane exploitation enables attacks without opening malicious files. Windows Explorer renders font previews automatically, allowing attackers to trigger code execution simply by handling to a directory containing a malicious font file. This pre-authentication attack path is particularly dangerous.

Web-based vectors require users to visit attacker-controlled or compromised websites that reference malicious font files. Browser sandboxing provides some protection, but successful exploitation could escape the sandbox and achieve system-level code execution.

Mitigation Effectiveness

Microsoft's recommended mitigations significantly reduce attack surface while awaiting patches. Preview pane disablement eliminates the file-browsing attack vector by preventing automatic font rendering during navigation. This mitigation has minimal operational impact for most users.

WebClient service disablement blocks remote WebDAV-based attacks that could deliver malicious fonts over the network. Organizations not using WebDAV for legitimate purposes should disable this service permanently.

File type blocking at email gateways and web proxies prevents delivery of Type 1 font files. Block.pfm,.pfb, and other Type 1 font extensions at network boundaries to reduce exposure during the patch window.

Legacy System Considerations

Windows 7 and Server 2008 systems remain vulnerable and require Extended Security Updates (ESU) for patch access. Organizations with ESU agreements should apply patches when available; those without ESU must rely entirely on mitigations or accelerate migration plans.

Embedded systems and specialized workstations running unsupported Windows versions require network isolation and strict application allowlisting. These systems present persistent vulnerability until replaced with supported platforms.

Document all legacy system exceptions with business justification, compensating controls, and migration timelines. Regulatory requirements may mandate specific timelines for addressing known vulnerabilities on systems processing sensitive data.

Related articles

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 94/100 · March 2, 2021

Microsoft Exchange HAFNIUM zero-day exploitation

On 2 March 2021 Microsoft disclosed that Chinese state-sponsored actors exploited four zero-day vulnerabilities in Exchange Server to compromise tens of thousands of organizations worldwide.

Cybersecurity · Credibility 93/100 · October 16, 2023

Cisco IOS XE WebUI zero-day (CVE-2023-20198) mass exploitation

A critical zero-day in Cisco IOS XE (CVE-2023-20198) let attackers create admin accounts through the web UI. Tens of thousands of devices were compromised within days. If you expose IOS XE web UI to the internet, assume…

Cybersecurity · Credibility 95/100 · February 26, 2026

Fortinet FortiOS SSL-VPN Zero-Day CVE-2026-0847 Under Active Exploitation — CISA Orders Federal Agencies to Patch Within 72 Hours

A critical authentication-bypass vulnerability in Fortinet FortiOS SSL-VPN (CVE-2026-0847, CVSS 9.8) is under active exploitation by multiple threat actors targeting government networks, critical infrastructure, and…

Cybersecurity · Credibility 91/100 · March 24, 2020

Cybersecurity — Apple

Apple released macOS Catalina 10.15.4 and Security Update 2020-002 for Mojave and High Sierra, patching actively exploited WebKit flaws and other kernel and mail vulnerabilities.

Cybersecurity · Credibility 73/100 · March 20, 2020

FBI warns of COVID-19 fraud and phishing schemes

FBI IC3 issued a PSA about rising COVID-19 scams, including phishing, fake charities, and malware-laced telework offers, urging organizations to harden email defenses and verify pandemic-related solicitations.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

March 23, 2020

Coverage pillar

Cybersecurity

Source credibility

86/100 — high confidence

Topics

Windows · Zero-day · Patch planning

Sources cited

3 sources (msrc.microsoft.com)

Reading time

5 min

References

1. Type 1 Font Parsing Remote Code Execution Vulnerability — Microsoft Security Response Center
2. CVE-2020-1020 — Microsoft Security Response Center
3. CVE-2020-0938 — Microsoft Security Response Center