All Windows versions compromised due to critical Zero-day vulnerabilities

All Windows versions compromised due to critical Zero-day vulnerabilities

Hello folks,


Two critical zero-day vulnerabilities have been discovered in Windows Adobe Type Manager Library. Both these vulnerabilities are unpatched and allows attackers to take remote control of the systems affected (Remote Code Execution vulnerability). As of now, the attacks are not widespread and only limited targeted systems are hit.

 

Versions affected 

All versions of the Windows Operating system is susceptible to attacks including Windows version 10, 8.1, 7, and Server 2008, 2012, 2016, 2019 editions.

 

Vulnerability assessment 

Windows Adobe Type Manager Library is a font parsing software, used by Windows Explorer to display the contents of a file in the 'Preview Pane' or 'Details Pane'. The vulnerability exists when when the Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.

 

Workaround

The patch for these zero-day vulnerabilities is expected along with the April Patch Tuesday updates, meanwhile, the following work around can be applied. 


1) Disable Preview Pane and Details Pane in Windows Explorer

To disable the Preview Pane and Details Pane feature:

  • Open Windows Explorer, click Organize and then click Layout.

  • Clear both the Details pane and Preview pane menu options.

  • Click Organize, and then click Folder and search options.

  • Click the View tab.

  • Under Advanced settings, check the Always show icons, never thumbnails box.

  • Close all open instances of Windows Explorer for the change to take effect. 

This workaround however does not necessarily restrict a legitimate 3rd-party software from loading the vulnerable font parsing library.

 

2) Disable the WebClient service 

Follow the steps below to disable WebClient services. Attackers may still be able to exploit this vulnerability remotely, however the users will be prompted for confirmation before opening arbitrary programs from the internet.

  • Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.

  • Right-click WebClient service and select Properties.

  • Change the Startup type to Disabled. If the service is running, click Stop.

  • Click OK and exit the management application.

 

3) Rename or disable ATMFD.DLL

Enter the following commands in an administrative command prompt 


For 32-bit systems 

cd "%windir%\system32"

takeown.exe /f atmfd.dll

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F)

rename atmfd.dll x-atmfd.dll

 

For 64-bit systems

cd "%windir%\system32"

takeown.exe /f atmfd.dll

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F)

rename atmfd.dll x-atmfd.dll

cd "%windir%\syswow64"

takeown.exe /f atmfd.dll

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F)

rename atmfd.dll x-atmfd.dll

 

Following this, restart the system. For more elaborate details regarding this vulnerability refer Microsoft's portal


Automatically install these workarounds using Patch Manager Plus

These workarounds can be automatically done by installing the following patches. 

Initiate a sync between the Patch Manager Plus server and the Central patch database. Once this is done, search for the following patch ID or the Bulletin ID : MS20-MAR25 and install it. 

  • Patch ID : 28618 - Fix for Font Parsing Remote Code Execution Vulnerability

 

Once the patches for these vulnerabilities are released during April Patch Tuesday, or if any problems occur while executing these workarounds, they can be undone by installing the following patch

  • Patch ID: 28619 - Patch for Undoing the changes of Fix for Font Parsing Remote Code Execution Vulnerability

 

Cheers, 

ManageEngine team



                New to ADSelfService Plus?