March 27, 2020

Microsoft has released an out-of-band security advisory to address two critical remote code execution vulnerabilities in Adobe Type Manager Library. Microsoft is also aware of limited, targeted attacks that attempt to leverage this vulnerability.

Description

Microsoft Windows Adobe Type Manager Library is affected by two remote code execution vulnerabilities as it improperly handles a specially crafted multi-master font (Adobe Type 1 PostScript format). Successful exploitation would require a remote attacker to convince a user to open a specially crafted document leading to memory corruption and executing arbitrary code on the system. This may result in complete compromise of vulnerable system.

Affected Systems

All supported Windows and Windows Server operating systems are affected.

Windows 7, 8.1, RT 8.1, 10, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019

Mitigations

Microsoft is currently preparing a patch related to the vulnerability, and it is expected to be released on the next April Patch Tuesday.

Workarounds

While patches for these vulnerabilities are not available, Microsoft provided workarounds to secure vulnerable systems:

  1. Disable the Preview Pane and Details Pane in Windows Explorer (WE)
  2. Disable the WebClient service
  3. Rename ATMFD.DLL or disable the registry key for Windows 8.1 and below

The first two workarounds provide less security against the vulnerability, as the attack could still be conducted with permissible conditions. In the first case a local, authenticated user can still exploit this vulnerability from running a specially crafted program. In the second case it is still possible for remote attackers to run programs located on the targeted user’s computer or the LAN. However, users will be prompted for confirmation before opening arbitrary programs from the Internet.

When applying the third workaround, Microsoft says disabling registry key may cause certain applications to stop working properly as OpenType fonts is not a Windows native application and is installed via third-party applications.

Disable the Preview Pane and Details Pane in Windows Explorer (WE)

  • Disabling the Preview and Details panes in WE prevent the automatic display of OTF fonts in WE. While this prevents malicious files from being viewed in WE it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability. To disable these panes in Windows 8.1 and before performing the following steps:
  • Open WE, click Organize, and then click Layout.
  • Clear both the Details pane and Preview pane menu options.
  • Click Organize, and then click Folder and search options.
  • Click the View tab.
  • Under Advanced settings, check the Always show icons, never thumbnails box.
  • Close all open instances of WE for the change to take effect.

Disable the WebClient service

  • Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the WebDAV client service. It is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the LAN, but users will be prompted for confirmation.
  • To disable the WebClient Service, perform the following steps:
    • Click Start, click Run, type Services.msc and click OK.
    • Right-click WebClient service and select Properties.
    • Change the Startup type to Disabled. If the service is running, click Stop.
    • Click OK and exit the management application.

Rename ATMFD.DLL

  • Enter the following commands at an administrative command prompt:

    cd “%windir%system32”
    takeown.exe /f atmfd.dll
    icacls.exe atmfd.dll /save atmfd.dll.acl
    icacls.exe atmfd.dll /grant Administrators:(F)
    rename atmfd.dll x-atmfd.dll

  • Restart the system.

Optional procedure for Windows 8.1 operating systems and below (disable ATMFD)

Method 1 (manual)

  • Run regedit.exe as Administrator.
  • In Reg Editor, navigate to the following sub key (or create it) and set its DWORD value to 1: HKLMSoftwareMicrosoftWindows NTCurrentVersionWindowsDisableATMFD, DWORD = 1
  • Close Registry Editor and restart the system.

Method 2 (using a script)

  • Create a text file named ATMFD-disable.reg that contains the following text:
    Windows Registry Editor Version 5.00
    [HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows]“DisableATMFD”=dword:00000001
  • Run regedit.exe.
  • In Registry Editor, click the File menu and then click Import.
  • Navigate to and select the ATMFD-disable.reg file that you created in the first step.
  • Click Open and then click OK to close Registry Editor.

Reference