Microsoft and its updates are of utmost interest to the security community during the second Tuesday of every month, the Patch Tuesday. However, Microsoft has filled the headlines of the fourth Tuesday too with important information about two critical unpatched zero-days in Microsoft Windows operating systems. It is It is essential to have a patch management software.
A critical advisory has been released by Microsoft, urging users to safeguard their systems with a workaround until the security patches are pushed out in the upcoming Patch Tuesday. The release of this advisory scans the availability of patches can be attributed to the targeted attacks by threat actors using these unpatched zero days vulnerabilities that Microsoft is aware of. A vulnerability management tool can prevent such attacks.
ADV200006: Type 1 Font Parsing Remote Code Execution Vulnerability
Two critical vulnerabilities exist in the Adobe Type Manager Library which could allow remote attackers to execute arbitrary code on target systems. The flaws exist in the Windows Adobe Type Manager Library when it improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format. Adobe Type Manager (ATM) is a font management tool by Adobe which performs font substitution when documents need fonts which are not installed on the system. ATM is also embedded in Windows explorer for providing a preview of the documents without opening them.
Attackers can launch successful attacks by convincing users to open maliciously crafted documents or view them in the Windows Preview pane. Since the ATM is provided by a kernel module named atmfd.dll, unpatched zero days vulnerability also enables attackers to execute arbitrary code with kernel privileges.
Microsoft has mentioned that Windows 10 is at a reduced risk as successful exploitation could only allow the user to execute code within the context of the AppContainer sandbox with limited privileges and capabilities. When any font sample is opened on Windows 10, it is parsed in an AppContainer instead of directly it parsing on the kernel. This AppContainer acts as an isolated sandbox, thus preventing the malicious code from gaining elevated privileges.
Affected Systems:
- Windows 10
- Windows 7
- Windows 8.1
- Windows RT 8.1
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
For detailed information about the affected builds and service pack numbers in unpatched zero days, please refer to the Microsoft’s advisory(ADV200006).
Please note that Microsoft will not be releasing a security update for Windows 7 systems as it has reached end-of-life in January 14, 2020.
Workaround:
Microsoft has advised users to follow a workaround to reduce the risk of attacks. As per the Microsoft advisory, the steps to be followed are :
- Disable the Preview Pane and Details Pane in Windows Explorer
This step only prevents automatic display of OTF fonts in Windows Explorer. However, an authenticated local attacker is still allowed to run a specially crafted program.
To disable these panes in Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1, perform the following steps:
- Open Windows Explorer, click Organize, and then click Layout.
- Clear both the Details pane and Preview pane menu options.
- Click Organize, and then click Folder and search options.
- Click the View tab.
- Under Advanced settings, check the Always show icons, never thumbnails box.
- Close all open instances of Windows Explorer for the change to take effect.
For Windows Server 2016, Windows 10, and Windows Server 2019, perform the following steps:
- Open Windows Explorer, click the View tab.
- Clear both the Details pane and Preview pane menu options.
- Click Options, and then click Change folder and search options.
- Click the View tab.
- Under Advanced settings, check the Always show icons, never thumbnails box.
- Close all open instances of Windows Explorer for the change to take effect.
- Disable the WebClient service
This step blocks attacks from the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. An attacker can still run programs located on the targeted user’s computer or the Local Area Network (LAN), but the system will prompt users for confirmation before opening arbitrary programs from the Internet.To disable the WebClient Service, perform the following steps:
- Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
- Right-click WebClient service and select Properties.
- Change the Startup type to Disabled. If the service is running, click Stop.
- Click OK and exit the management application.
- Rename ATMFD.DLL
ATMFD.DLL is absent in Windows 10 installations starting with Windows 10, version 1709. The newer versions do not possess this DLL. They have inbuilt security mechanisms which can considerably reduce the risk of exploits.
For 32-bit systems:- Enter the following commands at an administrative command prompt:
cd "%windir%\system32" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll
- Restart the system.
For 64-bit systems:- Enter the following commands at an administrative command prompt:
cd "%windir%\system32" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll cd "%windir%\syswow64" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll
- Restart the system.
Our recommendation is to apply the workaround and follow security best practices with a patch management tool until Microsoft has released the mitigating updates for unpatched zero days vulnerability.