Microsoft warns critical vulnerability in Windows already being exploited

Administrators and infosec pros will have to increase the surveillance of their networks for suspicious activity after Microsoft announced the discovery of a vulnerability in the way Windows processes fonts that could lead to a remote code execution.

As of this morning, there are only workarounds for the bug. Microsoft said it is working on a patch. Microsoft also said it’s aware of “limited, targeted attacks” that attempt to leverage this vulnerability.

“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format,” the company said in an advisory late Monday.

According to Carnegie Mellon’s CERT Co-ordination Center, by causing a Windows system to open a specially crafted document or view it in the Windows preview pane, an unauthenticated remote attacker may be able to execute arbitrary code with kernel privileges on a vulnerable system. Windows 10 based operating systems would execute the code with limited privileges, in an AppContainer sandbox.

The Outlook Preview Pane is NOT an attack vector for this vulnerability.

The bug, deemed critical, is in all supported desktop versions of Windows as far back as Win7, and Windows Server as far back as version 2008.

There are several mitigations:

  • Renaming the kernel module ATMFD.DLL in Windows 10 installations before version 1709. Newer versions do not have this DLL. This module is Adobe Type Manager, which is provided by Windows and provides support for OpenType fonts. Carnegie Mellon said this appears to be the most effective workaround as it blocks the vulnerable code from being used by Windows;
  • Disabling the Preview and Details panes in Windows Explorer, which prevents the automatic display of OTF fonts in Explorer. While this prevents malicious files from being viewed in Windows Explorer, Microsoft said, it doesn’t prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability;
  • Disabling the WebClient service, which helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet;
  • Renaming the kernel module ATMFD.DLL in Windows 10 installations before version 1709. Newer versions do not have this DLL. This module is Adobe Type Manager, which is provided by Windows and provides support for OpenType fonts.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs