Microsoft has announced a new security advisory, warning users of two zero-day vulnerabilities that could lead to remote code execution. These two vulnerabilities are currently unpatched and affect all supported versions of the Windows Operating System.
The remote code execution vulnerabilities originate from the Adobe Type Manager Library, which is part of the font management built into Windows. This software is used to parse fonts between documents, which are either opened using third party software or previewed in the Windows Explorer Graphical User Interface (GUI).
Adobe Type Manager
Adobe Type Manager Library has been found to improperly handle the “specially-crafted multi-master font – Adobe Type 1 PostScript format”. This could allow an attacker to craft a malicious document which exploits this weakness and attempt to lure a user into opening the document or viewing it in the Windows Explorer Preview Panel, via social engineering and phishing attacks.
If successful, this could lead to code being executed within the AppContainer, meaning it would have limited privileges and capabilities. Regardless, there is still the risk of arbitrary code being run on the targeted system. Furthermore, if the attack targets the WebClient service, any code would be run using the LocalService account, which is a predefined local account used by the service control manager. Thus, it has minimum privileges on the local computer and presents anonymous credentials on the network.
The exploits are not known to grant an attacker administrative privileges on the remote system; however, the ability to execute code means it may be possible to perform further actions to escalate privileges.
At this moment in time, there is no security patch for this vulnerability. However, Microsoft has released guidance on how this exploit can be mitigated to decrease the risk to users. The workarounds are listed on the Microsoft website (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006).
Disable the Preview and Details Panes in Windows Explorer
Disabling these panes will prevent the file from being previewed within the Windows Explorer GUI, therefore preventing any malicious code that happens to be embedded within the OTF fonts from being executed. The drawback of this workaround is that a user could still click to manually open the file, and in doing so, the code will be executed.
To disable these panes:
- Open Windows Explorer, click the View
- Unselect the Preview and Details
- Click the Options menu and select ‘Folder and search options’
- In this window, select the View
- Under the Advance Setting folder, check the Always show icons, never thumbnails
Once these changes have been made, close down all instances of Windows Explorer, or simply reboot for the modification to be applied.
Other workarounds include disabling the ‘WebClient’ service to block the remote attack vector and well as renaming the Adobe Font manager Driver (ATMFD.DLL) which will end support of OpenType fonts.
Microsoft is aware of some limited, targeted attacks which are exploiting these vulnerabilities in the wild, and they are therefore urging customers to apply these workarounds while they work on a security patch. They are currently expecting to release a fix on their next scheduled patch day which falls on Tuesday 14th April.
SureCloud is a provider of Gartner recognised GRC software and CREST accredited Cyber Security & Risk Advisory services. Whether buying products or services your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programmes to the next level.