Remote Code Execution Window OS Vulnerability
I. Targeted Industries
- Higher Education
- Health Organizations
- Financial Services
A vulnerability affecting Windows 7 could give attackers remote access to install malicious code (1). According to Microsoft, two remote code execution vulnerabilities exist within the Adobe Type Manager, which is a Windows Dynamic-Link Library (DLL) file that multiple apps use to render Adobe system fonts. The threat is low for Windows 10 systems due to mitigations that were implemented during the first version released in 2015 (2).
- Disable the Windows Preview Pane and Details Pane in Windows Explorer
- Disable the Web Client service
- Rename ATMFD.DLL (on Windows 10 systems that have a file by that name) or disable the file from the registry
- Stay informed and up-to-date on Microsoft security updates
- Do not open any suspicious files
- Suggested site for distribution: https://portal.msrc.microsoft.com/enus/security-guidance/advisory/adv200006
IV. Background Information
This vulnerability comes in the form of an improperly handled, specially crafted, multi-master font in Windows Adobe Type Manager Library (3). Once an attacker can craft the specific font, they trick the user into opening or previewing a document in the Windows Preview Pane, and the malicious software is executed. Mitigations present in Windows 10 and related operating systems prevent an affected application from escaping the Windows sandbox, which limits the blast radius of this attack (4). Microsoft has reiterated that the patch will come with the next update, possibly as an out-of-band patch, which is released rapidly to fix critical exploits (5). Users running Windows 7 will not receive this patch as the end-of-support was January 14, 2020; however, users enrolled in Microsoft’s Extended Security Updates (ESU) program will still be eligible for it (6).
V. Indicators of Compromise (IOCs)
- Please refer back to the recommendations and the suggested site for distribution.
(1) “ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability.” portal.msrc.microsoft.com, March 23, 2020. https://portal.msrc.microsoft.com/en-us/security guidance/advisory/adv200006
(2) Cook, Brent. “Active Exploitation of Unpatched Windows Font Parsing Vulnerability.” Rapid7 Blog. Rapid7 Blog, March 25, 2020. https://blog.rapid7.com/2020/03/24/active-exploitation-of-unpatched windows-font-parsing-vulnerability/
(3) Foltyn, Tomas. “Microsoft warns of two Windows zero-day flaws.” we live security. March 24, 2020. https://www.welivesecurity.com/2020/03/24/microsoftwarns-two-windows-zero-day-flaws/
(4) Goodin, Dan. “Windows Code-Execution Zero-day Is under Active Exploit, Microsoft Warns.” Ars Technica, March 23, 2020. https://arstechnica.com/information technology/2020/03/attackers-exploit windows-zeroday-that-can-execute malicious-code/
(5) “Microsoft Warns Windows Users of a Critical Vulnerability That’s Used for ‘Limited Targeted Attacks’.” Hindustan Times, March 24, 2020. https://www.hindustantimes.com/tech/microsoft-warns-windows-users-of-a critical-vulnerability-that-s-used-for-limited-targeted-attacks/story or7JPvs451ONwkuz9sVYgL.htmlhttps://arstechnica.com/information technology/2020/03/attackers-exploit-windows-zeroday-that-can-execute malicious-code/
(6) Rouse, Margaret. “Out of Band patch” what is. March 2013. https://whatis.techtarget.com/definition/out-of-band-patch
(7) Shaikh, Rafia. “Windows 7 Remote Code Execution Bugs Are Under Active Exploit.” Wccftech. Wccftech, March 25, 2020. https://wccftech.com/windows-7 remote-code-execution-bugs-are-under-active-exploit/
(8) Whittaker, Zack. “Microsoft says hackers are attacking windows users with a new unpatched bug.” Tech Crunch. March 23, 2020. https://techcrunch.com/2020/03/23/windows-unpatched-zero-day-bug/