Microsoft reports new zero-day vulnerability in Windows that is being actively exploited

[Matrix]

 

 

In brief: A previously undisclosed and yet to be patched critical security vulnerability is being exploited in the wild, affecting all recent versions of Windows (7/8/10) and Windows Server. Microsoft is working on a fix, but until then, it's probably best to heed Microsoft's workarounds to mitigate chances of exploitation.

Microsoft posted a new security advisory today (ADV200006), detailing what it's calling "Type 1 Font Parsing Remote Code Execution Vulnerability." They have given the vulnerability a "critical" severity rating, which is the highest severity rating Microsoft gives.

 

The flaw seems to stem from the Adobe Type Manager Library and deals with how Windows handles fonts. "Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format," says Microsoft.

 

Microsoft states there are multiple ways to leverage the flaw. One way is through tricking users into opening a especially crafted and malicious document. In fact, the document doesn't even need to opened properly; simply viewing it in the preview pane will apparently work just the same. Once opened or previewed, an attacker gains the ability for remote code execution.

 

https://twitter.com/TheHackersNews/status/1242161789866889216/photo/1

 

Currently, there are "limited targeted attacks" that Microsoft is aware of. The company is already working on a fix, but in the meantime you can mitigate the flaw. Microsoft recommends disabling the preview pane and disabling the WebClient service.

 

Check out the security advisory for instructions for specific Windows versions.

 

Patches are typically released on Patch Tuesday (the second Tuesday of the month), but Microsoft does release emergency patches outside of that schedule for critical flaws. This could be one of those cases.

 

Source

[funkyy]

I did the mitigation last night....hope I remember to undo it when a patch arrives!! lol

[frankl1n]

1 hour ago, funkyy said:

hope I remember to undo it when a patch arrives!! lol

why risk another sketchy MS patch when you already fixed the issue? I've had these 2 things disabled already and for a very long time.

[funkyy]

On 3/24/2020 at 7:11 PM, frankl1n said:

why risk another sketchy MS patch when you already fixed the issue? I've had these 2 things disabled already and for a very long time.

Although the fix works, it doesn't show the images on thumbnails...which is inconvenient if your looking for specific images.

See screenshot.      Update:- I have undone that mitigation method and have disabled Web Client service instead. I can now see my thumbnails etc

[frankl1n]

3 hours ago, funkyy said:

Although the fix works, it doesn't show the images on thumbnails...which is inconvenient if your looking for specific images.

See screenshot.      Update:- I have undone that mitigation method and have disabled Web Client service instead. I can now see my thumbnails etc

actually there is a 3rd method that is spose to protect a users system even from a locale (vs remote) attack on Windows 8.1 and below only:

disable ATMFD

Quote

Optional procedure for Windows 8.1 operating systems and below (disable ATMFD):

Method 1 (manual):
Run regedit.exe as Administrator.
In Reg Editor, navigate to the following sub key (or create it) and set its DWORD value to 1: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD, DWORD = 1
Close Registry Editor and restart the system.
Method 2 (using a script):
Create a text file named ATMFD-disable.reg that contains the following text:
Windows Registry Editor Version 5.00
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“DisableATMFD”=dword:00000001
Run regedit.exe.
In Registry Editor, click the File menu and then click Import.
Navigate to and select the ATMFD-disable.reg file that you created in the first step.
Click Open and then click OK to close Registry Editor.

source for above quote: https://blog.qualys.com/laws-of-vulnerabilities/2020/03/23/microsoft-released-out-of-band-advisory-microsoft-windows-adobe-type-manager-library-remote-code-execution-vulnerability-adv200006

[funkyy]

@frankl1n

Yes, I read the various workarounds on Microsoft's page and chose the first one that I mentioned because it

was easy to do (lol). Then, because the image thumbnails were affected I decided on disabling the Web Client service (also easy for little old me!!).

I'll think about the disabling of ATMFD again...I didn't choose it first time because Microsoft warned that it "can cause usability issues in rare cases",

and I tend to err on the side of caution when making changes.😀😀😀

Update:- had a quick think about it, and created the reg file and applied it. Hopefully there won't be any of the "usability issues" that MS mentioned.