Microsoft and its updates are of utmost interest for the security community during the second Tuesday of every month, the Patch Tuesday. However, Microsoft has filled the headlines of the fourth Tuesday too with important information about two critical unpatched zero-days in Microsoft Windows operating systems.

A critical advisory has been released by Microsoft, urging users to safeguard their systems with a workaround until the security patches are pushed out in the upcoming Patch Tuesday. The release of this advisory sans the availability of patches can be attributed to the targeted attacks by threat actors using these unpatched vulnerabilities that Microsoft is aware of.


ADV200006: Type 1 Font Parsing Remote Code Execution Vulnerability

Two critical vulnerabilities exist in the Adobe Type Manager Library which could allow remote attackers to execute arbitrary code on target systems. The flaws exist in the Windows Adobe Type Manager Library when it improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format. Adobe Type Manager (ATM) is a font management tool by Adobe which performs font substitution when documents need fonts which are not installed on the system. ATM is also embedded in Windows explorer for providing a preview of the documents without opening them.

Attackers can launch successful attacks by convincing users to open maliciously crafted documents or view them in the Windows Preview pane. Since the ATM is provided by a kernel module named atmfd.dll, the vulnerability also enables attackers to execute arbitrary code with kernel privileges.

Microsoft has mentioned that Windows 10 is at a reduced risk as successful exploitation could only allow the user to execute code within the context of the AppContainer sandbox with limited privileges and capabilities. When any font sample is opened on Windows 10, it is parsed in an AppContainer instead of directly it parsing on the kernel. This AppContainer acts as an isolated sandbox, thus preventing the malicious code from gaining elevated privileges.

AppContainer protects against untrusted fonts in Anniversary Update
AppContainer in Windows 10 Anniversary Update
Credits: https://www.microsoft.com


Affected Systems

  • Windows 10
  • Windows 7
  • Windows 8.1
  • Windows RT 8.1
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

For detailed information about the affected builds and service pack numbers, please refer to the Microsoft’s advisory(ADV200006).

Please note that Microsoft will not be releasing a security update for Windows 7 systems as it has reached end-of-life in January 14, 2020.


Workaround

Microsoft has advised users to follow a workaround to reduce the risk of attacks. As per the Microsoft advisory, the steps to be followed are :

  • Disable the Preview Pane and Details Pane in Windows Explorer

    This step only prevents automatic display of OTF fonts in Windows Explorer. However, an authenticated local attacker is still allowed to run a specially crafted program.

    To disable these panes in Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1, perform the following steps:

    1. Open Windows Explorer, click Organize, and then click Layout.
    2. Clear both the Details pane and Preview pane menu options.
    3. Click Organize, and then click Folder and search options.
    4. Click the View tab.
    5. Under Advanced settings, check the Always show icons, never thumbnails box.
    6. Close all open instances of Windows Explorer for the change to take effect.

    For Windows Server 2016, Windows 10, and Windows Server 2019, perform the following steps:

    1. Open Windows Explorer, click the View tab.
    2. Clear both the Details pane and Preview pane menu options.
    3. Click Options, and then click Change folder and search options.
    4. Click the View tab.
    5. Under Advanced settings, check the Always show icons, never thumbnails box.
    6. Close all open instances of Windows Explorer for the change to take effect.
  • Disable the WebClient service
    This step blocks attacks from the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. However, an attacker can still run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

    To disable the WebClient Service, perform the following steps:

    1. Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
    2. Right-click WebClient service and select Properties.
    3. Change the Startup type to Disabled. If the service is running, click Stop.
    4. Click OK and exit the management application.
  • Rename ATMFD.DLL
    ATMFD.DLL is absent in Windows 10 installations starting with Windows 10, version 1709. The newer versions do not possess this DLL, but have inbuilt security mechanisms which can considerably reduce the risk of exploits.

    For 32-bit systems:

    1. Enter the following commands at an administrative command prompt:
    cd "%windir%\system32"
    takeown.exe /f atmfd.dll
    icacls.exe atmfd.dll /save atmfd.dll.acl
    icacls.exe atmfd.dll /grant Administrators:(F) 
    rename atmfd.dll x-atmfd.dll
    
    1. Restart the system.


    For 64-bit systems:

    1. Enter the following commands at an administrative command prompt:
    	cd "%windir%\system32"
    	takeown.exe /f atmfd.dll
    	icacls.exe atmfd.dll /save atmfd.dll.acl
    	icacls.exe atmfd.dll /grant Administrators:(F) 
    	rename atmfd.dll x-atmfd.dll
    	cd "%windir%\syswow64"
    	takeown.exe /f atmfd.dll
    	icacls.exe atmfd.dll /save atmfd.dll.acl
    	icacls.exe atmfd.dll /grant Administrators:(F) 
    	rename atmfd.dll x-atmfd.dll
    
    1. Restart the system.

Our recommendation is to apply the workaround and follow security best practices until Microsoft has released the mitigating updates for this vulnerability.


 

Summary
Microsoft warns of active attacks on Windows using unpatched zero-days
Article Name
Microsoft warns of active attacks on Windows using unpatched zero-days
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *