News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Yet another font exploit

    Home Forums AskWoody blog Yet another font exploit

    Viewing 19 reply threads
    • Author
      Posts
      • #2210249 Reply
        woody
        Da Boss

        You’d think that MS would’ve figured out a way to block all of the bad font takeover scenarios, but apparently not. Adobe Type Manager fonts just got
        [See the full post at: Yet another font exploit]

        6 users thanked author for this post.
      • #2210256 Reply
        anonymous
        Guest

        Here are the mitigations:

        https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006#ID0EMGAC

        1 user thanked author for this post.
      • #2210325 Reply
        warrenrumak
        AskWoody Plus

        Adobe Type v1?  Yikes… yeah, that code is easily 25 years old at this point.

        Other than for extremely specific backwards compatibility situations, I can’t see any reason for Windows to even support that format anymore.  Type 1 stopped being relevant in production work by the late 1990s.

        • This reply was modified 2 weeks, 3 days ago by warrenrumak.
        1 user thanked author for this post.
        • #2210412 Reply
          anonymous
          Guest

          I can’t see any reason for Windows to even support that format anymore.

          I think they have to support it because it’s part of the OpenType standard. Windows doesn’t support old-school .pfm style Type 1 fonts, but some OTF files have “type 1” in the information.

          And the advisory talks about “automatic display of OTF fonts.”

      • #2210491 Reply
        anonymous
        Guest

        Really anything Adobe should not be included in Windows without the needed source code auditing and MS should be carefully vetting what gets allowed into the Windows core functionality by MS and buy whatever API hooks that MS provides for third party applications get their functionality plumbed in via those API hooks. All that needs to be properly sandboxed and unable to get outside of that protected area.

      • #2210513 Reply
        Moonbear
        AskWoody Lounger

        @Woody

        Is this any different from the workaround that Microsoft posted?

        https://www.ghacks.net/2020/03/24/critical-font-parsing-issue-in-windows-revealed-fix-inside/

        1 user thanked author for this post.
        • #2210626 Reply
          woody
          Da Boss

          They look the same to me. Anybody see any differences?

      • #2210604 Reply
        b
        AskWoody Plus

        Microsoft’s Security Advisory ADV200006 has been revised twice today:

        “Microsoft has become aware of limited targeted Windows 7 based attacks …”

        Please Note: The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015. Please see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.

        I believe there are also new alternative workarounds for Windows 7 and Windows 8.1 which involve disabling atfmd.dll by renaming it (or disabling ATMFD via the registry for Win 8.1).

        Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)

        1 user thanked author for this post.
      • #2210627 Reply
        Skider86
        AskWoody Lounger

        Is it just me or does the layout of the advisory just not look well thought out?  If one follows the instructions for protecting Windows 8.1 and earlier by creating the registry key to disable the support for the library, does this mitigate the Windows Explorer exposure?  If I set the registry key is there any reason to do the hokey pokey on renaming the DLL?

      • #2210629 Reply
        b
        AskWoody Plus

        Only Windows 7 is being attacked. No workarounds necessary for Windows 10.

        Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)

        1 user thanked author for this post.
      • #2210630 Reply
        Skider86
        AskWoody Lounger

        GHacks does not include renaming of the DLL file.  I would think the registry key is equal in disabling, but the document could be improved to make this clear.

      • #2210641 Reply
        Skider86
        AskWoody Lounger

        I wonder why Microsoft didn’t share the GPO for turning both panes off for Windows Explorer?

        Location:  User Configuration – Administrative Templates – Windows Components – File Explorer – Explorer Frame Pane

        Setting:  Turn off Preview pane

        Setting:  Turn on or off Details pane

        4 users thanked author for this post.
      • #2210651 Reply
        Moonbear
        AskWoody Lounger

        @Woody

        In that case, is unchecking the Details and Preview panes in File Explorer and then disabling the WebClient service enough to mitigate this? Or is also necessary to also add the registry entry shown at the end of the gHacks article?

        • This reply was modified 2 weeks, 2 days ago by Moonbear.
        2 users thanked author for this post.
        • #2210777 Reply
          woody
          Da Boss

          Short answer: I don’t know. Wonder if anybody else does?

      • #2210691 Reply

        I just followed the ghacks:

        For Windows 7, Windows 8.1 and Windows Server 2008 R2, 2012 and 2012 R2:

        1. Open a Windows Explorer instance and select Organize > Layout.
        2. Disable the Details pane and Preview pane options (if they are enabled. You should notice that the panes are not displayed when disabled)
        3. Select Organize > Folder and search options.
        4. Switch to the View tab.
        5. Under Advanced Settings, check “Always show icons, never thumbnails”.
        6. Close all Windows Explorer instances.

        This is going to be a major PITA for those of us who like to work with graphics. Can some actually quantify WHERE, WHEN and HOW FREQUENTLY these attacks are happening, along with who the most vulnerable of the WIN 7 crowd are?

        “Only Windows 7” now, eh? My olfactory sensors detecting something not quite so sweet in Denmark…

        Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode. ESU 1 yr."
        --
        "Just because you're an engineer doesn't mean you're good at everything." -Anonymous

        1 user thanked author for this post.
        • #2210700 Reply
          anonymous
          Guest

          “Only Windows 7” now, eh? My olfactory sensors detecting something not quite so sweet in Denmark…

          That just means the adversary actually using this exploit is unsophisticated. Defeating Windows 8.1 would require an ASLR bypass, defeating Windows 10 requires that and possibly a sandbox bypass as well (especially on newer versions when fonts were completely moved out of the kernel).

          Which isn’t a great sign, it’s possible this has been used quietly by the big nation-state adversaries for a while before the little guys got their paws on it.

      • #2210713 Reply

        Forgot to ask this: Why is there no CVE on this yet, just a MSFT Advisory? And again, can we get someone, or agency,  actually quantify WHERE, WHEN and HOW FREQUENTLY these attacks are happening, along with who the most vulnerable of the WIN 7 crowd are?

        If we can put a CVE to this, Eset has a very good “Virus radar” site that gives this sort of info on exploits.

        The big mystery to me is why, if this is so critical, is there no CVE yet?

        Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode. ESU 1 yr."
        --
        "Just because you're an engineer doesn't mean you're good at everything." -Anonymous

        • #2210769 Reply
          b
          AskWoody Plus

          Perhaps we have to wait until next week? Due to;

          “We appreciate the efforts of our industry partners and are complying with a 7-day timeline for disclosing information regarding these limited attacks.”

          Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)

          1 user thanked author for this post.
      • #2210844 Reply
        anonymous
        Guest

        The owner of the atmfd.dll file is Trusted Installer, change that to admin and it is possible to rename, using windows 7.

        Windows 7/8/10 – How to Delete Files Protected by TrustedInstaller

        To bad, i got stuck on way how to follow this tutorial, i dont get it but some people does…? The best way is to rename or delete atmfd.dll so if someone would make an better, or easier tutorial then I can re enable showing my icons on desktop, they all look the same now because of security measures:(

      • #2210871 Reply
        b
        AskWoody Plus

        The original Microsoft Advisory linked in the second post of this thread listed the commands required to do that.

        Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)

      • #2211020 Reply
        Nitecon
        AskWoody Lounger

        For any MS Defender ATP customers, MS have updated the Microsoft Defender Security Center dashboard with the vulnerability – “Type 1 font-parsing 0-day vulnerabilities”.

        There is a bit more info there, but you also have access to an advanced hunting query to locate processes launched with possible malicious intent by the vulnerable font parser on Windows 10 devices.

      • #2211268 Reply
        Cybertooth
        AskWoody Plus

        My Windows 7 system running 0patch has just now received a micropatch for this vulnerability:

        0patch

        I happened to be working on the computer when 0patch popped out a notification to report application of the new patch.

         

        Attachments:
        1 user thanked author for this post.
      • #2211501 Reply
        Alex5723
        AskWoody Plus

        0Patch : Micropatching Unknown 0days in Windows Type 1 Font Parsing

        …As we’ve done before in a similar situation, we decided to provide our users with a micropatch to protect themselves against these vulnerabilities in a “0patch fashion”, i.e., completely automatically and without disturbing users even in the slightest.

        Our micropatch is currently available for fully updated Windows 7 64-bit and Windows Server 2008 R2 without Extended Security Updates (ESU), which means with January 2020 Windows Updates installed. This provides protection for our users who continue using these Windows versions but were unable or unwilling to obtain ESU, and are now, somewhat ironically, the only Windows users with a patch for these vulnerabilities….

        https://blog.0patch.com/2020/03/micropatching-unknown-0days-in-windows.html

        Attachments:
        2 users thanked author for this post.
      • #2211764 Reply
        anonymous
        Guest

        MoonBear said:
        is unchecking the Details and Preview panes in File Explorer and then disabling the WebClient service enough to mitigate this? Or is also necessary to also add the registry entry

        The font parsing vulnerability is found in the Adobe Type Manager Library’s kernel font driver (ATMFD.DLL) itself.

        Disabling Windows/File Explorer’s Preview Pane, Details Pane, & thumbnails view merely disables some of the “vehicles” used by ATMFD.DLL to render Adobe Type 1/PostScript & OpenType (OTF) fonts.

        • Other possible “vehicles” include 3rd-party file managers, 3rd-party file font viewers, email clients etc. that utilize Windows’ ATMFD.DLL driver to render the affected font formats.
        • MS Outlook’s preview function is apparently not affected by the vulnerability.
        • Web browsers like Internet Explorer, Firefox, Chromium, etc. do not use ATMFD.DLL to render fonts on a webpage, so these are not affected either.

        Disabling the WebClient/WebDAV server service merely turns off one of the routes that a malicious font (or a document using a malicious font type) can infiltrate the local PC via the local network/server route.

        • Even then, it is still possible to receive a malicious file via the internet (eg. through email or by manually downloading from a hyperlink on a webpage).

        As such, unless Microsoft provides a cure for the defective ATMFD.DLL ( & MS already declared it won’t be doing so for unsupported Win 7 & older systems), the most effective mitigation is to disable ATMFD.DLL by:

        • Adding a new registry entry:

        HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
        => add: DisableATMFD = 1 [REG_DWORD]

        • &/or renaming ATMFD.DLL
          Note: This DLL is a protected file, so you need to change the DLL’s file permissions first before you can rename it.

        … followed by rebooting the PC.

        Negative Impacts of Disabling ATMFD.DLL:

        1) It is no longer possible for any application to use/display Adobe Type 1/PostScript & OpenType (OTF) fonts, or view documents created with these font formats.

        2) A malevolent local/remote user with logon credentials to your PC can easily undo the disabling, before proceeding to carry out a local attack.

        1 user thanked author for this post.
      • #2212424 Reply
        tonyc035
        AskWoody Plus

        Hi there!

        I’m still running Windows 7, so I just tried adding the DisableATMFD DWord (32-bit) value 0)  registry key and after rebooting I could no longer access my WD Home Duo NAS.  I renamed the key to “xDiasableATMFD”, rebooted again, and all is fine now.

        I’m not saying that disabling ATMFD is a bad thing, just be aware of one of the possible side effects.

        Cheers!

        • This reply was modified 1 week, 4 days ago by tonyc035.
    Viewing 19 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Yet another font exploit

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.