Microsoft Warns of Windows Zero-Day Exploitation

Microsoft has revealed that it’s aware of on-going targeted cyberattacks exploiting two zero-day vulnerabilities found in the Windows Adobe Type Manager Library and impacting all supported versions of Windows.

What Is Zero-Day?

Zero-day is a security vulnerability in a software that’s known to the software vendor but the vendor doesn’t have a security update, also known as a patch, to fix the security vulnerability. If this zero-day vulnerability is known by malicious actors, this vulnerability has the potential to be exploited.

According to Microsoft, two zero-day remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format. Successful exploitation of this collective vulnerability in Windows Adobe Type Manager Library allows remote code execution – the ability of an attacker to access someone else’s computer and make changes to it regardless of where the computer is geographically located.

The Windows Preview Pane has been identified as an attack vector for this vulnerability. This collective vulnerability in Windows Adobe Type Manager Library, Microsoft said, could be exploited by an attacker in multiple ways such as viewing it in the Windows Preview pane or convincing a user to open a specially crafted document.

Microsoft said it’s still working on a fix to this vulnerability. “Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month,” Microsoft said. “This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.”

Protection from Zero-Day Vulnerabilities

While there’s no security fix yet for the above-mentioned vulnerability, Microsoft recommends the following workarounds:

1. Disable the Preview Pane and Details Pane in Windows Explorer

Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. Microsoft, however, warned that while this workaround prevents malicious files from being viewed in Windows Explorer, it doesn’t prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.

2. Disable the WebClient Service

Microsoft said disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. The company, however, warned that even with this workaround, remote attackers who successfully exploit this vulnerability could still enable the system to run programs located on the targeted user’s computer or the Local Area Network (LAN). For this compromise to work, users will be prompted for confirmation before opening arbitrary programs from the internet.

3. Rename ATMFD.DLL

The third workaround recommended by Microsoft is by renaming ATMFD.DLL. It’s important to note that ATMFD.DLL isn’t present in Windows 10 installations starting with Windows 10, version 1709. Newer versions of Windows 10 has a mitigation component in which a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.

“When opening the malicious font sample on Windows 10 Anniversary Update, font parsing happens completely in AppContainer instead of the kernel,” Microsoft Defender ATP Research Team said in the blog post “Hardening Windows 10 with zero-day exploit mitigations“. “AppContainer provides an isolated sandbox that effectively prevents font exploits (among other types of exploits) from gaining escalated privileges. The isolated sandbox considerably reduces font parsing as an attack surface.”

4. Disable ATMFD

The ability to disable ATMFD is only available in Windows 8.1 operating systems and below. Disabling ATMFD.DLL, Microsoft said, could cause certain applications to stop working properly if they use OpenType fonts.

How to Harden Your Organization’s Systems Against Zero-Day Attacks

Cyberattacks involving zero-day exploits happen from time to time, affecting, not just Windows platform but also other platforms and applications. “A key takeaway from the detonation of zero-day exploits is that each instance represents a valuable opportunity to assess how resilient a platform can be – how mitigation techniques and additional defensive layers can keep cyberattacks at bay while vulnerabilities are being fixed and patches are being deployed,” Microsoft Defender ATP Research Team said.

One of the effective measures in hardening your organization’s systems (workstations and servers) is by using up-to-date operating systems (OS) – those that still regularly receive latest updates from the software vendor and by applying in a timely manner the latest updates issued. The latest updates in software, not just contain the latest fixes to known security vulnerabilities but also provide enhanced features that better protect the software from future cyberattacks.

The case in point is the mitigation that’s present in Windows 10, that is, a successful exploit in the security vulnerability in Windows Adobe Type Manager Library could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities. According to Microsoft, AppContainer in Windows 10 Anniversary Update provides an isolated sandbox that effectively prevents font exploits from gaining escalated privileges as font parsing happens completely in AppContainer instead of the kernel.

“While fixing a single-point vulnerability helps neutralize a specific bug, Microsoft security teams continue to look into opportunities to introduce more and more mitigation techniques,” Microsoft Defender ATP Research Team said. “Such mitigation techniques can break exploit methods, providing a medium-term tactical benefit, or close entire classes of vulnerabilities for long-term strategic impact.”

Mitigation techniques, in the latest versions of Windows, Microsoft Defender ATP Research Team added, are significantly reducing attack surfaces that would have been available to future zero-day exploits.

Our team of Microsoft certified IT experts at GenX Solutions is ready to help you stop cybercriminals and protect your critical infrastructure and information. Call now (416) 920-3000 or email sales@genx.ca to schedule a quick review of your environment and mitigate the attacks.