Zero-day defenses suggested while Redmond gets to work on a patch
Microsoft is urging organizations to apply temporary workarounds while it works on developing a patch for a flaw in how Windows handles and renders fonts that attackers are actively exploiting.
In an advisory published on Monday (March 23), Microsoft said it was aware of “limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library”.
“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format,” the advisory explains.
The critical, zero-day flaw might be exploited providing an attacker is able to trick a potential target into opening a specially crafted document or viewing it in the Windows Preview pane.
Successful attacks open the door for attackers to push malicious code onto vulnerable systems.
All supported versions of Windows – including Windows 10 and Windows Server 2008 up until Windows Server 2019 – are affected.
Windows 7 is likely also vulnerable but not listed as such because it is no longer supported.
How to protect against the Windows font handler flaw
Microsoft has offered three potential mitigations to safeguard vulnerable systems against potential attack. These include disabling the Preview Pane and Details Pane in Windows Explorer.
“While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability,” Microsoft cautions.
Another option comes from disabling the WebClient service which blocks the “most likely remote attack vector” even though it falls some way short of offering a complete fix.
“After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the Local Area Network, but users will be prompted for confirmation before opening arbitrary programs from the internet,” Redmond’s security team explains.
A third potential mitigation comes from renaming the ATMFD.DLL library – a move that means that applications that rely on embedded font technology will not render properly.
None of the mitigations are complete and all have their drawbacks. Even so, these safety measures are worth considering in the absence of an immediate fix from Microsoft.
Based on previous form, a patch is most likely to arrive next month as part of the Microsoft’s regular Patch Tuesday update, but we can’t be certain of this – especially in these most uncertain times.
Jonathan Knudsen, senior security strategist at Synopsys, noted that Microsoft is dealing with the consequences of a vulnerability in a software component developed by a third-party supplier rather than its own developers.
“Microsoft is actually reporting on an Adobe component which contains vulnerabilities that affect Microsoft’s products,” he said.
