Administrators and infosec pros will have to increase the surveillance of their networks for suspicious activity after Microsoft announced the discovery of a vulnerability in the way Windows processes fonts that could lead to a remote code execution.
As of this morning, there are only workarounds for the bug. Microsoft said it is working on a patch. Microsoft also said it’s aware of “limited, targeted attacks” that attempt to leverage this vulnerability.
“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format,” the company said in an advisory late Monday.
According to Carnegie Mellon’s CERT Co-ordination Center, by causing a Windows system to open a specially crafted document or view it in the Windows preview pane, an unauthenticated remote attacker may be able to execute arbitrary code with kernel privileges on a vulnerable system. Windows 10 based operating systems would execute the code with limited privileges, in an AppContainer sandbox.
The Outlook Preview Pane is NOT an attack vector for this vulnerability.
The bug, deemed critical, is in all supported desktop versions of Windows as far back as Win7, and Windows Server as far back as version 2008.
There are several mitigations:
- Renaming the kernel module ATMFD.DLL in Windows 10 installations before version 1709. Newer versions do not have this DLL. This module is Adobe Type Manager, which is provided by Windows and provides support for OpenType fonts. Carnegie Mellon said this appears to be the most effective workaround as it blocks the vulnerable code from being used by Windows;
- Disabling the Preview and Details panes in Windows Explorer, which prevents the automatic display of OTF fonts in Explorer. While this prevents malicious files from being viewed in Windows Explorer, Microsoft said, it doesn’t prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability;
- Disabling the WebClient service, which helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet;
- Renaming the kernel module ATMFD.DLL in Windows 10 installations before version 1709. Newer versions do not have this DLL. This module is Adobe Type Manager, which is provided by Windows and provides support for OpenType fonts.