BD is aware of and is currently monitoring two third-party vulnerabilities that affect Windows Adobe Type Manager Library. These third-party vulnerabilities, which Microsoft corrected with their latest patch release, are not specific to BD or our products.
These vulnerabilities exist when the Library improperly handles a specially crafted multi-master font, known as Adobe Type 1 PostScript format. Both vulnerabilities affect Windows 7, 8.1, RT 8.1, 10, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019 and can be exploited in multiple ways. For instance, an unauthorized user could convince a user to open a malicious document in the Windows Preview Pane.
While these vulnerabilities could potentially allow an unauthenticated user to remotely execute custom code on the targeted system, Microsoft reported that the possibility of this is negligible and elevation of privilege is not possible. The security patch, made by Microsoft, remediates these vulnerabilities by correcting the way Windows Adobe Type Manager Library handles Type 1 fonts.
BD is currently working to test and validate the Microsoft patch for BD products that use the affected third-party components. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize the affected Windows versions:
BD has not received any reports of these third-party Microsoft vulnerabilities impacting BD products. The product list below is available to customers to help identify existing BD products that utilize Windows 7, 8.1, RT 8.1, 10, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the remediation or device status.
Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s):
For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by any of these third-party vulnerabilities, disconnect the device from the network and contact your BD service representative immediately.