Summary

On March 23rd, 2020 Microsoft publicly disclosed the existence of two critical 0-Day vulnerabilities in all recent versions of the Microsoft Windows operating system. Microsoft is aware of limited targeted attacks that leverage these 0-Day vulnerabilities and has provided guidance on how to temporarily mitigate the exploitation of these unpatched vulnerabilities. Patches for these vulnerabilities are not expected until April’s “Patch Tuesday” release.

The 2 (two) 0-Day Remote Code Execution (RCE) vulnerabilities exist because of the way the Windows Adobe Type Library improperly handles a specially crafted font file in the “Adobe Type 1 PostScript” format. This Adobe Type Library is included by default in all Windows systems and, as such, all recent Microsoft Windows systems are impacted.

Successful exploitation of this vulnerability requires that attackers trick users into either previewing or opening a maliciously crafted document. Exploitation will likely be in the form of a phishing attempt with a malicious document attached. Attackers could also leverage Web Distributed Authoring and Versioning (WebDAV) based HTTP requests to load previews of the maliciously crafted font files in order to exploit these vulnerabilities.

Systems running Windows 10 are still vulnerable to potential exploitation but built-in mitigations make successful exploitation much more difficult. Windows 10 leverages isolated “App Containers” with limited privileges. The use of these isolated “App Containers” significantly increases the difficulty of successfully compromising a system by exploiting these issues but does not prevent exploitation.

For additional details on how Windows 10 mitigates these types of exploits, review Microsoft’s article on Windows 10’s zero-day exploit mitigation features (including mitigating font parsing vulnerabilities).

The Cyber Fusion Center strongly recommends all clients deploy some mitigations to prevent potential exploitation (especially on non-Windows 10 systems). Mitigation options include:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient (for WebDAV) service
  • Renaming the impacted Dynamic Linked Library (DLL) file (ATMFD.DLL)

For additional details on how to successfully mitigate these issues, please review the “Temporary Mitigation” section of this advisory.

Affected software

  • Windows 10 (All versions)
  • Windows 8.1 (All versions)
  • Windows 7 (All versions)
  • Windows Server 2008 / R2 (All versions)
  • Windows Server 2012 / R2 (All versions)
  • Windows Server 2016 (All versions)
  • Windows Server 2019 (All versions)

Impact

Successful exploitation of these vulnerabilities can provide attackers kernel level privileges on impacted Windows systems. Such access enables attackers take complete control of impacted systems.

Temporary Mitigation & Workarounds

The Cyber Fusion Center strongly recommends all clients deploy some mitigations to prevent potential exploitation (Especially on non-Windows 10 systems). Mitigation options include:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient (for WebDAV) service
  • Renaming the impacted DLL file (ATMFD.DLL)

The sections below describe how to apply these temporary workarounds to prevent the exploitation of these 0-Day vulnerabilities.

Disabling the Preview Pane and Details Pane in Windows Explorer (Windows Server 2008 (R2), Windows 7, Windows Server 2012 (R2), and Windows 8.1):

Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.

To disable these panes, perform the following steps:

  1. Open Windows Explorer, click Organize, and then click Layout.
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Organize, and then click Folder and search options.
  4. Click the View
  5. Under Advanced settings, check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Disabling the Preview Pane and Details Pane in Windows Explorer (Windows Server 2016, Windows 10, and Windows Server 2019):

To disable these panes, perform the following steps:

  1. Open Windows Explorer, click the View
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Options, and then click Change folder and search options.
  4. Click the View
  5. Under Advanced settings, check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Disabling the WebDAV WebClient Service

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service.

Note: Even after disabling the WebClient Service, it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs already installed on the targeted computer or programs which are available via local network file shares. However, this mitigation will now prompt users before running arbitrary software from non-local sources (such as the internet).

To disable the WebClient Service, perform the following steps:

  1. Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
  2. Right-click WebClient service and select Properties.
  3. Change the Startup type to Disabled. If the service is running, click Stop.
  4. Click OK and exit the management application.

Rename the impacted Dynamic Link Library (DLL) ATMFD.DLL on 32-bit systems

  1. Enter the following commands at an administrative command prompt:
cd "%windir%\system32"

takeown.exe /f atmfd.dll

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F)

rename atmfd.dll x-atmfd.dll

  1. Restart the system

Rename the impacted Dynamic Link Library (DLL) ATMFD.DLL on 64-bit systems

  1. Enter the following commands at an administrative command prompt:
cd "%windir%\system32"

      takeown.exe /f atmfd.dll

      icacls.exe atmfd.dll /save atmfd.dll.acl

      icacls.exe atmfd.dll /grant Administrators:(F)

      rename atmfd.dll x-atmfd.dll

      cd "%windir%\syswow64"

      takeown.exe /f atmfd.dll

      icacls.exe atmfd.dll /save atmfd.dll.acl

      icacls.exe atmfd.dll /grant Administrators:(F)

      rename atmfd.dll x-atmfd.dll
  1. Restart the system.

Disable the Adobe Type Manager Library via registry on Windows 8.1 or below (not recommended)

It’s possible for Windows administrators to disable the Adobe Type Manager Library by modifying the Windows registry on Windows 8.1 and below.

However, disabling the library in this method may impact applications that rely on embedded font technology Disabling ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. For details on how to disable ATMDF via registry changes please review Microsoft’s Security Advisory.

For details on potential impacts of these workarounds, or details on how to roll back these changes, please review Microsoft’s security advisory.

Sources

Kudelski Security Team

Kudelski Security Team

Kudelski Security is an innovative and independent provider of tailored cybersecurity solutions to enterprises and public sector institutions. Kudelski Security is a division of the Kudelski Group (SIX:KUD.S), which has nearly 4,000 employees in 33 countries around the world. The company has dual headquarters in Phoenix, Arizona, and in Cheseaux-sur-Lausanne, Switzerland, as well as offices in Zurich, Minneapolis, Dallas, and Atlanta.
Kudelski Security Team