Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Pickles - Lord of the Jar

Windows code-execution zeroday is under active exploit, Microsoft warns

Recommended Posts

Posted · Original PosterOP

 

Quote

The font-parsing remote code-execution vulnerability is being used in “limited targeted attacks,” the software maker said in an advisory published on Monday morning. The security flaw exists in the Adobe Type Manager Library, a Windows DLL file that a wide variety of apps use to manage and render fonts available from Adobe Systems. The vulnerability consists of two code-execution flaws that can be triggered by the improper handling of maliciously crafted master fonts in the Adobe Type 1 Postscript format. Attackers can exploit them by convincing a target to open a booby-trapped document or viewing it in the Windows preview pane...

 

Until a patch becomes available, Microsoft is suggesting users use one or more of the following work-arounds:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient service
  • Rename ATMFD.DLL



...While Windows users at large may not be targeted initially, new campaigns sometimes sweep larger and larger numbers of targets once awareness of the underlying vulnerabilities becomes wider spread. At a minimum, all Windows users should monitor this advisory, be on the lookout for suspicious requests to view untrusted documents, and install a patch once it becomes available. Windows users may also want to follow one or more of the workarounds, but only after considering the potential risks and benefits of doing so.
 

Source

While this is bad. It is good to see there are at least some kinds of mitigations. We are never going to be free of exploits but at the end of the day, this zeroday is bad, but it doesn't appear to be apocalyptic. Hopefully Microsoft will have a patch soon. Either way, it is being actively exploited so if you are worried check the article for mitigations. 
 


For years I have lived in these crystal lands. My people were once plentiful. Many of those in my fiefdom revered me. However, one day a calamity hit. The fingers of the devil plucked us from our land, never to return. Now I am the sole heir to the throne. I am Pickles, Lord of the Brine, One of the Jar, Man of Preserves and Last of the Condiments. 

"Everyone is an expert in something. Never approach an interaction thinking someone is otherwise. Knowledge is acquired not earned. Always be humble and wise. Never look down on others for simply being ignorant within your realm of your expertise." ~ Unknown
Hey, I am Lord Xeb from OCN!
3600x | NH-D15 Chromax Black | 32GB 3200MHz | GTX 1070 Hybrid (2100c/2241m) | Gigabyte X570 Aorus Elite | Seasonic X760w | Phanteks Evolv X | 1TB Samsung 850 Pro | Sandisk Skyhawk 3.84TB SSD | 4TB HDD 

Link to post
Share on other sites
19 minutes ago, Lord Xeb said:

http://Windows code-execution zeroday is under active exploit, Microsoft warns

 

Either way, it is being actively exploited so if you are worried check the article for mitigations. 

Uh... Did you mean to link to this article (Ars Technica) instead...?

The link above links to this post...?


正直に生きる

Link to post
Share on other sites
Posted · Original PosterOP

Thanks bud. Problem fixed!


For years I have lived in these crystal lands. My people were once plentiful. Many of those in my fiefdom revered me. However, one day a calamity hit. The fingers of the devil plucked us from our land, never to return. Now I am the sole heir to the throne. I am Pickles, Lord of the Brine, One of the Jar, Man of Preserves and Last of the Condiments. 

"Everyone is an expert in something. Never approach an interaction thinking someone is otherwise. Knowledge is acquired not earned. Always be humble and wise. Never look down on others for simply being ignorant within your realm of your expertise." ~ Unknown
Hey, I am Lord Xeb from OCN!
3600x | NH-D15 Chromax Black | 32GB 3200MHz | GTX 1070 Hybrid (2100c/2241m) | Gigabyte X570 Aorus Elite | Seasonic X760w | Phanteks Evolv X | 1TB Samsung 850 Pro | Sandisk Skyhawk 3.84TB SSD | 4TB HDD 

Link to post
Share on other sites
13 hours ago, Lord Xeb said:

Until a patch becomes available, Microsoft is suggesting users use one or more of the following work-arounds:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient service
  • Rename ATMFD.DLL

 

Should i do this as normal user ? or am i not at risk if so where do i even find the settings to disable those.

Link to post
Share on other sites
1 hour ago, Tony Tony Chopper said:

Should i do this as normal user ? or am i not at risk if so where do i even find the settings to disable those.

It depends.

 

Right now it seems like the exploit is very limited and requires some user interaction to be exploited (for example, download an infected program and run it). Doing the "work-arounds" might also break compatibility with some software. Also, it's risky to rename system files because you either have to change the security settings of the files (admin users are not allowed to change system files by default), or do it through cmd.

 

 

How to do these things are described in the hackernews article that is the original source. I'll paste that below.

Spoiler
Quote

1) Disable the Preview Pane and Details Pane in Windows Explorer

Meanwhile, all Windows users are highly recommended to disable the Preview Pane and Details Pane feature in Windows Explorer as a workaround to reduce the risk of getting hacked by opportunistic attacks.

 


To disable the Preview Pane and Details Pane feature:

 

 

  • Open Windows Explorer, click Organize and then click Layout.
  • Clear both the Details pane and Preview pane menu options.
  • Click Organize, and then click Folder and search options.
  • Click the View tab.
  • Under Advanced settings, check the Always show icons, never thumbnails box.
  • Close all open instances of Windows Explorer for the change to take effect.

However, to be noted, while this workaround prevents malicious files from being viewed in Windows Explorer, it does not strict any legitimate 3rd-party software from loading the vulnerable font parsing library.

 

 

2) Disable the WebClient service

Besides this, it is also advised to disable Windows WebClient service to prevent cyberattacks through the WebDAV client service.

 

 

  • Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
  • Right-click WebClient service and select Properties.
  • Change the Startup type to Disabled. If the service is running, click Stop.
  • Click OK and exit the management application.

"After applying this workaround, it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet," the Microsoft warned.

 

 

3) Rename or Disable ATMFD.DLL

Microsoft is also urging users to rename Adobe Type Manager Font Driver (ATMFD.dll) file to temporarily disable the embedded font technology, which could cause certain 3rd-party apps to stop working.

Enter the following commands at an administrative command prompt:

 

 

Quote

For 32-bit system:
cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

 

Quote

For 64-bit system:
cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
cd "%windir%\syswow64"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

 


Restart the system.

 

 

Link to post
Share on other sites

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006#ID0EMGAC

 

Quote

Windows Security Advisory ADV200006

 

Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers. The operating system versions that are affected by this vulnerability are listed below. Please see the mitigation and workarounds for guidance on how to reduce the risk.

Please Note: The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015.

Please see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.

Keep in mind that users on older platforms are in much more danger compared to Windows 10 users. For the Windows 10 & Windows server 2016, 2019 platform, the severity level is Important. For Windows 7, 8, Server 2012, 2008, the severity level is Critical.

 

If you're on Windows 10 then you won't need to worry too much about this exploit, as mitigations have been placed. For Windows 7 or other legacy version users, the risk is high.

Link to post
Share on other sites

Makes you wonder why services like Server, Workstation and WebClient need to run by default on average system in the first place... 99% of people will never use them and it's there running, being ready to exploit. We're asked about all sorts of stupid crap during installation, why not also ask "Is this going to be used as server/workstation or home computer?" If it's home computer, then turn that all off. If server/workstation, enable it. And if user needs it later, I'm pretty certain they'd know where to turn it on again if required.

Link to post
Share on other sites
1 hour ago, RejZoR said:

And if user needs it later, I'm pretty certain they'd know where to turn it on again if required.

That's where you're wrong.

What you're suggesting is the way a lot of GNU/Linux distros does it. Minimal installs with features that are enabled if required. And look at what the average user on this forum says about that. As soon as you start going "if you want to do X then you first need to do Y and Z" it becomes too complicated, even for a lot of users on this forum.

 

On my Windows 10 machine I got 279 different services, and that's probably a fairly conservative number because I don't install a whole lot of stuff on my computer. Do you really want the average users to need to sort through close to 300 different services and expect them to know exactly which ones to have enabled and which ones to have disabled so that the programs and features they use work, but not other ones? And that's just services. Wanna apply the same logic to features as well? Then we need to pile on another couple of hundred variables.

 

It's easy to look at an individual service and go "well most people probably don't need this so it should be disabled", but it's harder to do that when you take the use case of ~1 billion users into account, and the different combinations of programs used. What about third party programs which hooks into the native WebDav service in Windows?

 

 

Windows is designed as something meant to work well out of the box, and that comes with it having a ton of unnecessary features enabled by default. What you could do is lock down your own install of Windows if you want. I think knowing what to shut off is about as easy as knowing what to turn on (which is what your solution was).

Link to post
Share on other sites
8 hours ago, LAwLz said:

What you're suggesting is the way a lot of GNU/Linux distros does it. Minimal installs with features that are enabled if required.

Depends on who wnats to use, for average joe the base install is pretty much ready to go.

 

  

8 hours ago, LAwLz said:

Then we need to pile on another couple of hundred variables.

Or just have system service that activates and deactivates services on the fly based on what running applications need? No point in wasting resources on things that arent needed.

Link to post
Share on other sites
9 hours ago, LAwLz said:

That's where you're wrong.

What you're suggesting is the way a lot of GNU/Linux distros does it. Minimal installs with features that are enabled if required. And look at what the average user on this forum says about that. As soon as you start going "if you want to do X then you first need to do Y and Z" it becomes too complicated, even for a lot of users on this forum.

Spoiler

 

On my Windows 10 machine I got 279 different services, and that's probably a fairly conservative number because I don't install a whole lot of stuff on my computer. Do you really want the average users to need to sort through close to 300 different services and expect them to know exactly which ones to have enabled and which ones to have disabled so that the programs and features they use work, but not other ones? And that's just services. Wanna apply the same logic to features as well? Then we need to pile on another couple of hundred variables.

 

It's easy to look at an individual service and go "well most people probably don't need this so it should be disabled", but it's harder to do that when you take the use case of ~1 billion users into account, and the different combinations of programs used. What about third party programs which hooks into the native WebDav service in Windows?

 

 

Windows is designed as something meant to work well out of the box, and that comes with it having a ton of unnecessary features enabled by default. What you could do is lock down your own install of Windows if you want. I think knowing what to shut off is about as easy as knowing what to turn on (which is what your solution was).

 

 

I know a lot of people where "turn on the computer" is too complicated. But here, I'm glad for the warning though.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×