Microsoft Released Out-of-Band Advisory – Windows Adobe Type Manager Library Remote Code Execution Vulnerability (ADV200006)

Today, Microsoft released an out-of-band security advisory ADV200006 to address two critical remote code execution vulnerabilities in Adobe Type Manager Library. Microsoft is also aware of limited, targeted attacks that attempt to leverage this vulnerability.

The Vulnerability

Microsoft Windows Adobe Type Manager Library is affected by two remote code execution vulnerabilities as it improperly handles a specially-crafted multi-master font (Adobe Type 1 PostScript format). Successful exploitation would require a remote attacker to convince a user to open a specially crafted document leading to memory corruption and executing arbitrary code on the system. This may result in complete compromise of vulnerable system.

Affected Systems

All supported Windows and Windows Server operating systems are affected.
Windows 7, 8.1, RT 8.1, 10, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019

Detecting ADV200006 with Qualys Vulnerability Management

The best method for identifying vulnerable hosts that do not have workarounds in place, is through the Qualys Cloud Agent or via Qualys authenticated scanning. Qualys has issued QID 91617 for Qualys Vulnerability Management that is included in signature version VULNSIGS-2.4.849-4. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.849.4-3.

QID 91617 : Microsoft Windows Adobe Type Manager Library Remote Code Execution Vulnerability (ADV200006) (Zero Day)

You can search for this within VM Dashboard by using the following QQL query:

vulnerabilities.vulnerability.qid: 91617

This will return a list of all impacted hosts.

 

Workaround:

While patches for not available these vulnerabilities, Microsoft provided workarounds to secure vulnerable systems:

  1. Disable the Preview Pane and Details Pane in Windows Explorer (WE)
  2. Disable the WebClient service
  3. Rename ATMFD.DLL or disable the registry key for Windows 8.1 and below

First two workarounds, provides less security against the vulnerability, as the attack could still be conducted with permissible conditions. In the first case, a local, authenticated user can still exploit this vulnerability from running a specially crafted program. In the second case also, it is still possible for remote attackers to run programs located on the targeted user’s computer or the LAN. However, users will be prompted for confirmation before opening arbitrary programs from the Internet.

When applying third workaround, Microsoft says Disabling registry key may cause certain applications to stop working properly as OpenType fonts is not Windows native application and is installed via third-party applications.

Disable the Preview Pane and Details Pane in Windows Explorer(WE)

    • Disabling the Preview and Details panes in WE prevents the automatic display of OTF fonts in WE. While this prevents malicious files from being viewed in WE, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability. To disable these panes in Windows 8.1 and before perform the following steps:

Open WE, click Organize, and then click Layout.

  • Clear both the Details pane and Preview pane menu options.
  • Click Organize, and then click Folder and search options.
  • Click the View tab.
  • Under Advanced settings, check the Always show icons, never thumbnails box.
  • Close all open instances of WE for the change to take effect.

Disable the WebClient service

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the WebDAV client service.It is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the LAN, but users will be prompted for confirmation.

To disable the WebClient Service, perform the following steps:

  • Click Start, click Run, type Services.msc and click OK.
  • Right-click WebClient service and select Properties.
  • Change the Startup type to Disabled. If the service is running, click Stop.
  • Click OK and exit the management application.

Rename ATMFD.DLL:

  • Enter the following commands at an administrative command prompt:
    • cd “%windir%system32”
    • takeown.exe /f atmfd.dll
    • icacls.exe atmfd.dll /save atmfd.dll.acl
    • icacls.exe atmfd.dll /grant Administrators:(F)
    • rename atmfd.dll x-atmfd.dll
  • Restart the system.

Optional procedure for Windows 8.1 operating systems and below (disable ATMFD):

  • Method 1 (manual):
    • Run regedit.exe as Administrator.
    • In Reg Editor, navigate to the following sub key (or create it) and set its DWORD value to 1: HKLMSoftwareMicrosoftWindows NTCurrentVersionWindowsDisableATMFD, DWORD = 1
    • Close Registry Editor and restart the system.
  • Method 2 (using a script):
    • Create a text file named ATMFD-disable.reg that contains the following text:
      Windows Registry Editor Version 5.00
      [HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows]“DisableATMFD”=dword:00000001
    • Run regedit.exe.
    • In Registry Editor, click the File menu and then click Import.
    • Navigate to and select the ATMFD-disable.reg file that you created in the first step.
    • Click Open and then click OK to close Registry Editor.

Customers are advised to apply workarounds ADV200006 for affected operating systems until a patch is released to be protected from this vulnerability.


*** This is a Security Bloggers Network syndicated blog from The Laws of Vulnerabilities – Qualys Blog authored by Animesh Jain. Read the original post at: https://blog.qualys.com/laws-of-vulnerabilities/2020/03/23/microsoft-released-out-of-band-advisory-microsoft-windows-adobe-type-manager-library-remote-code-execution-vulnerability-adv200006