ACROS Security’s 0patch Service Released Unofficial Patches for Two Actively Exploited Windows Vulnerabilities

WindowsUpdates

ACROS Security’s 0patch program has created non-official fixes for two Windows bugs that Microsoft has failed to repair.

Microsoft revealed earlier this week that it had become aware of targeted attacks using two Windows zero-days related to the way the Adobe Type Manager Library handles PostScript Type 1 fonts.

Adobe said that Microsoft solely sponsors the compromised library and that Adobe users are not at danger.

Hackers will manipulate vulnerabilities by forcing users to open specially designed documents or display them in the Windows preview section. It does not seem necessary to hack bugs from the Internet Explorer or the Outlook test screen.

Security holes affect Windows 10, 7, 8.1, Server 2008, Server 2012, Server 2016, Server 2019, and Web. However, Windows 10 provides security mechanisms that significantly reduce the risk of assaults.

Patches are expected to be published only by Microsoft for its April 2020 protection patches. However, consumers may submit workarounds to avoid abuse. Windows 7 will also be updated, but patches will only be made accessible by Microsoft to clients with an Extended Software Upgrade (ESU) certificate.

In the meantime, 0patch has published an unofficial patch that will be distributed free of charge before the approved patches are carried out by Microsoft. In essence, the 0patch update will only be accessible to its paid customers.

0patch has been applied to Windows 7 and Windows Server 2008 R2 without ESU. Unofficial updates for Windows 7 and Server 2008 R2 with ESU, Windows 8.1, and Windows Server 2012 will also be made. The fix of the business just avoids remote manipulation.

“With this micropatch in place, all applications using Windows GDI for font-related operations will find any Adobe Type 1 PostScript fonts rendered invalid and unable to load,” 0patch explained in a blog post describing its fix.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.