Windows code-execution zeroday is under active exploit, Microsoft warns
Attackers are actively exploiting a Windows zero-day vulnerability that can execute malicious code on fully updated systems, Microsoft warned on Monday.
The font-parsing remote code-execution vulnerability is being used in “limited targeted attacks,” the software maker said in an advisory published on Monday morning. The security flaw exists in the Adobe Type Manager Library, a Windows DLL file that a wide variety of apps use to manage and render fonts available from Adobe Systems. The vulnerability consists of two code-execution flaws that can be triggered by the improper handling of maliciously crafted master fonts in the Adobe Type 1 Postscript format. Attackers can exploit them by convincing a target to open a booby-trapped document or viewing it in the Windows preview pane.
“Microsoft is aware of limited, targeted attacks that attempt to leverage this vulnerability,” Monday’s advisory warned. Elsewhere the advisory said: “For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.”
Microsoft didn’t say if the exploits are successfully executing malicious payloads or simply attempting it. Frequently, security defenses built into Windows prevent exploits from working as hackers intended. The advisory also made no reference to the volume or geographic locations of exploits. A fix is not yet available, and Monday’s advisory provided no indication when one would ship.
What to do now?
Until a patch becomes available, Microsoft is suggesting users use one or more of the following workarounds:
- Disabling the Preview Pane and Details Pane in Windows Explorer
- Disabling the WebClient service
- Rename ATMFD.DLL, or alternatively, disable the file from the registry
The first measure will prevent Windows Explorer, a tool that provides a graphical user interface for displaying and managing Windows resources, from automatically displaying Open Type Fonts. While this stopgap fix will prevent some types of attacks, it won’t stop a local, authenticated user from running a specially crafted program to exploit the vulnerability.
The second workaround—disabling the WebClient service—blocks the vector attackers would most likely use to wage remote exploits. Even with this measure in place, it’s still possible for remote attackers to run programs located on the targeted user’s computer or local network. Still, the workaround will cause users to be prompted for confirmation before opening arbitrary programs from the Internet.
Microsoft said that disabling the WebClient will prevent Web Distributed Authoring and Versioning from being transmitted. It also stops any services that explicity depend on the WebClient from starting and logs error messages in the System log.
Renaming ATMFD.DLL, the last recommended stopgap, will cause display problems for applications that rely on embedded fonts and could cause some apps to stop working if they use OpenType fonts. Microsoft also cautioned that mistakes in making registry changes to Windows—as required in one variation of the third workaround—can cause serious problems that may require Windows to be completely reinstalled.
Monday’s advisory provides detailed instructions for both turning on and turning off all three workarounds. Enhanced Security Configuration, which is on by default on Windows Servers, doesn’t mitigate the vulnerability, the advisory added.
Targeted… for now
The phrase “limited targeted attacks” is frequently shorthand for exploits carried out by hackers carrying out espionage operations on behalf of governments. These types of attacks are usually limited to a small number of targets—in some cases, fewer than a dozen—who work in a specific environment that’s of interest to the government sponsoring the hackers.
While Windows users at large may not be targeted initially, new campaigns sometimes sweep larger and larger numbers of targets once awareness of the underlying vulnerabilities becomes more widespread. At a minimum, all Windows users should monitor this advisory, be on the lookout for suspicious requests to view untrusted documents, and install a patch once it becomes available. Windows users may also want to follow one or more of the workarounds but only after considering the potential risks and benefits of doing so.