Hello folks,
Two critical zero-day vulnerabilities have been discovered in Windows Adobe Type Manager Library. Both these vulnerabilities are unpatched and allows attackers to take remote control of the systems affected (Remote Code Execution vulnerability). As of now, the attacks are not widespread and only limited targeted systems are hit.
Versions affected
All versions of the Windows Operating system is susceptible to attacks including Windows version 10, 8.1, 7, and Server 2008, 2012, 2016, 2019 editions.
Windows Adobe Type Manager Library is a font parsing software, used by Windows Explorer to display the contents of a file in the 'Preview Pane' or 'Details Pane'. The vulnerability exists when when the Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.
Workaround
The patch for these zero-day vulnerabilities is expected along with the April Patch Tuesday updates, meanwhile, the following work around can be applied.
To disable the Preview Pane and Details Pane feature:
Open Windows Explorer, click Organize and then click Layout.
Clear both the Details pane and Preview pane menu options.
Click Organize, and then click Folder and search options.
Click the View tab.
Under Advanced settings, check the Always show icons, never thumbnails box.
Close all open instances of Windows Explorer for the change to take effect.
This workaround however does not necessarily restrict a legitimate 3rd-party software from loading the vulnerable font parsing library.
2) Disable the WebClient service
Follow the steps below to disable WebClient services. Attackers may still be able to exploit this vulnerability remotely, however the users will be prompted for confirmation before opening arbitrary programs from the internet.
Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
Right-click WebClient service and select Properties.
Change the Startup type to Disabled. If the service is running, click Stop.
Click OK and exit the management application.
3) Rename or disable ATMFD.DLL
Enter the following commands in an administrative command prompt
For 32-bit systems
cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
For 64-bit systems
cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
cd "%windir%\syswow64"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
Following this, restart the system. For more elaborate details regarding this vulnerability refer Microsoft's portal
Automatically install these workarounds using Desktop Central
These workarounds can be automatically done by installing the following patches.
Initiate a sync between the Desktop Central server and the Central vulnerability database. Once this is done, search for the following patch ID or the Bulletin ID : MS20-MAR25 and install it.
Patch ID : 28618 - Fix for Font Parsing Remote Code Execution Vulnerability
Once the patches for these vulnerabilities are released during April Patch Tuesday, or if any problems occur while executing these workarounds, they can be undone by installing the following patch
Patch ID: 28619 - Patch for Undoing the changes of Fix for Font Parsing Remote Code Execution Vulnerability
Cheers,