Microsoft Windows OS has two security vulnerabilities that are being exploited by malicious code writers. The newly discovered security flaws are Remote Code Execution or RCE capable, and they exist in the Adobe Type Manager Library. The security bug can allow exploiters to remotely access and control the victim’s computers after installing even the latest updates. It is concerning to note that there’s no patch available yet.
Microsoft has admitted there are two Windows zero-day vulnerabilities that can execute malicious code on fully updated systems. The vulnerabilities have been found in the Adobe Type Manager Library, which is being used to display the Adobe Type 1 PostScript format in Windows. Microsoft has promised it is developing a patch to mitigate the risk and patch the exploits. However, the company will release the patches as part of the upcoming Patch Tuesday. Concerned Windows OS users, however, have a few temporary and simple workarounds to protect their systems from these two new RCE vulnerabilities.
Microsoft Warns About Windows Code-Execution 0-Day Vulnerabilities With Limited Targeted Attacks Potential:
The newly discovered RCE vulnerabilities exist in the Adobe Type Manager Library, a Windows DLL file that a wide variety of apps use to manage and render fonts available from Adobe Systems. The vulnerability consists of two code-execution flaws that can be triggered by the improper handling of maliciously crafted master fonts in the Adobe Type 1 Postscript format. To successfully attack a victim’s computer, the attackers merely need the target to open a document or even preview the same in the Windows preview pane. Needless to add, the document will be laced with malicious code.
All versions of #Microsoft Windows (7, 8.1, 10, Server 2008, 2012, 2016, 2019) operating systems contain 2 new font parsing library RCE vulnerabilities that are:
—Under active ZERO-DAY attacks
— The Hacker News (@TheHackersNews) March 23, 2020
Microsoft has confirmed that computers running Windows 7 are the most vulnerable to the newly discovered security vulnerabilities. The company notes that the font-parsing remote code-execution vulnerability is being used in “limited targeted attacks,” against Windows 7 systems. As for Windows 10 systems, the scope of the vulnerabilities is rather limited, indicated the advisory:
“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane,” noted Microsoft. While there’s no fix yet for Windows 10, Windows 8.1, and Windows 7, the company explains that “for systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.
Microsoft says that Windows 10 systems are not targeted in the attacks exploiting the two critical RCE vulnerabilities.
The advisory was updated to say that "Microsoft has become aware of limited targeted 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝟳 𝗯𝗮𝘀𝗲𝗱 𝗮𝘁𝘁𝗮𝗰𝗸𝘀 [..]" pic.twitter.com/AVrVdtWcZc
— BleepingComputer (@BleepinComputer) March 24, 2020
Microsoft hasn’t offered many details about the scope of the impact of the newly discovered security flaws. The company didn’t indicate if the exploits are successfully executing malicious payloads or simply attempting it.
How To Protect Against New Windows 0-Day RCE Vulnerabilities In The Adobe Type Manager Library?
Microsoft is yet to officially issue a patch to protect against the newly discovered RCE security vulnerabilities. The patches are expected to arrive on Patch Tuesday, most likely next week. Until then, Microsoft is suggesting to use one or more of the following workarounds:
- Disabling the Preview Pane and Details Pane in Windows Explorer
- Disabling the WebClient service
- Rename ATMFD.DLL (on Windows 10 systems that have a file by that name), or alternatively, disable the file from the registry
The first measure will stop Windows Explorer from automatically displaying Open Type Fonts. Incidentally, this measure will prevent some types of attacks, but it won’t stop a local, authenticated user from running a specially crafted program to exploit the vulnerability.
Attackers are exploiting unpatched Windows zero day flaws, Microsoft said in a Monday security advisory. The company said “limited targeted attacks” could leverage two unpatched remote code executive (RCE) vulnerabilities in Windows… https://t.co/JHjAgO4sSi via @InfoSecHotSpot pic.twitter.com/gAhLt46CGT
— Sean Harris (@InfoSecHotSpot) March 24, 2020
Disabling the WebClient service blocks the vector which attackers would most likely use to wage remote exploits. This workaround will cause users to be prompted for confirmation before opening arbitrary programs from the Internet. Nonetheless, it is still possible for attackers to run programs located on the targeted user’s computer or local network.
The last suggested workaround is rather troublesome as it will cause display problems for applications that rely on embedded fonts and could cause some apps to stop working if they use OpenType fonts.
— Neil Mitchell-Hunter (@polo_nmh) March 24, 2020
As always, Windows OS users are cautioned to be on the lookout for suspicious requests to view untrusted documents. Microsoft has promised a permanent fix, but users should refrain from accessing or opening documents from unverified or untrustworthy sources.