Adobe Type Manager
Adobe Type Manager Library has been found to improperly handle the “specially-crafted multi-master font – Adobe Type 1 PostScript format”. This could allow an attacker to craft a malicious document which exploits this weakness and attempt to lure a user into opening the document or viewing it in the Windows Explorer Preview Panel, via social engineering and phishing attacks.
If successful, this could lead to code being executed within the AppContainer, meaning it would have limited privileges and capabilities. Regardless, there is still the risk of arbitrary code being run on the targeted system. Furthermore, if the attack targets the WebClient service, any code would be run using the LocalService account, which is a predefined local account used by the service control manager. Thus, it has minimum privileges on the local computer and presents anonymous credentials on the network.
The exploits are not known to grant an attacker administrative privileges on the remote system; however, the ability to execute code means it may be possible to perform further actions to escalate privileges.
At this moment in time, there is no security patch for this vulnerability. However, Microsoft has released guidance on how this exploit can be mitigated to decrease the risk to users. The workarounds are listed on the Microsoft website (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006).