Microsoft has warned all its Windows users about two new critical, unpatched zero-day vulnerabilities that could allow cyber criminals to take total control over targeted computers remotely.
The two unpatched flaws were found to be used in limited, targeted attacks and affects all supported versions of the Windows operating system—including Windows 10, 8.1 and Server 2008, 2012, 2016, and 2019 editions, as well as Windows 7 whose support has been stopped this year.
The vulnerabilities exist in the Windows Adobe Type Manager Library, a font parsing software that parses content when open with a 3rd-party software and is also used by Windows Explorer to display the content of a file in the ‘Preview Pane’ or ‘Details Pane’ without having users to open it.
The flaws exist when the Adobe Type Manager Library improperly “handles a specially-crafted multi-master font – Adobe Type 1 PostScript format,” allowing remote attackers to execute malicious arbitrary code on targeted systems by convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.
According to Microsoft, for systems running supported versions of Windows 10, a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.
It is unknown at present whether the flaws can be triggered remotely over a web browser by tricking a user to visit a web-page containing specially-crafted malicious OTF fonts. But still there are several ways in which an attacker could exploit the vulnerability, such as through the Web Distributed Authoring and Versioning (WebDAV) client service.
As of now, patches are not available and the tech giant is working on a patch which is expected to be released on its next month Patch Tuesday updates.
Microsoft recommends that the users are required to apply workarounds which includes disabling the preview pane and details pane in Windows, disabling the WebClient service and to rename or disable ATMFD.DLL
1) Disable the Preview Pane and Details Pane feature in Windows Explorer
- Open Windows Explorer, click Organize and then click Layout.
- Clear both the Details pane and Preview pane menu options.
- Click Organize, and then click Folder and search options.
- Click the View tab.
- Under Advanced settings, check the Always show icons, never thumbnails box.
- Close all open instances of Windows Explorer for the change to take effect.
It is important to note that this workaround prevents malicious files from being viewed in Windows Explorer. However, it does not prevent any legitimate 3rd-party software from loading the vulnerable font parsing library.
2) Disable the WebClient service
To prevent cyberattacks through the WebDAV client service, it is advised to disable Windows WebClient service.
- Click Start, click Run, type Services.msc and then click OK.
- Right-click WebClient service and select Properties.
- Change the Startup type to Disabled. If the service is running, click Stop.
- Click OK and exit the management application.
After this workaround is applied, it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the Local Area Network (LAN). But the users will be prompted for confirmation before opening arbitrary programs from the Internet.
3) Rename or Disable ATMFD.DLL
The users are recommended to rename Adobe Type Manager Font Driver (ATMFD.dll) file to temporarily disable the embedded font technology, which can cause some 3rd-party apps to stop functioning.