Microsoft warns that as part of the Adobe Type Manager Library (atmfd.dll), were discovered two vulnerabilities that hackers already exploit. These 0-day vulnerabilities in atmfd.dll endanger all versions of Windows.
In particular, this library is used, for rendering PostScript Type 1 fonts in Windows.According to experts, both vulnerabilities allow remote execution of arbitrary code, that is, attackers can run their own code in the victim’s system and take various actions on behalf of the user.
According to Microsoft, an attacker could easily achieve exploitation of vulnerabilities.
There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane”, – the company said.
All currently supported versions of Windows and Windows Server (including Windows 10, 8.1 and Server 2008, 2012, 2016 and 2019) are vulnerable to problems. Windows 7, whose support was discontinued earlier this year, is also vulnerable.
Little is known about the current attacks. The companies characterize them as “limited” and “target,” but do not go into details.
Since there are no patches yet (probably their release can be expected only as part of the April Tuesday update), Microsoft engineers recommend taking the following steps:
- disable Preview Pane and Details Pane (preview and information panels) in Windows Explorer;
- disable WebClient service;
- rename ATMFD.DLL.
However, information security experts report that these measures will be either insufficient for system security or they will cause malfunctions.
- The first measure will not allow Windows Explorer, a tool that provides a graphical user interface for displaying and managing Windows resources, automatically display open-type fonts. Although this interim fix will prevent some types of attacks, it will not stop a local authenticated user from launching a specially crafted program to exploit the vulnerability.
- The second workaround – disabling the WebClient service – blocks the vector that the attackers are most likely use to conduct remote exploits. Even with this measure in mind, remote attackers can still run programs located on the computer or on the target user’s local network. However, a workaround will force users to ask for confirmation before opening arbitrary programs from the Internet. Microsoft said disabling WebClient may prevent the transfer of Web Distributed Authoring and Versioning. It also stops the start of all WebClient-dependent services and logs error messages in the syslog.
- Renaming ATMFD.DLL, the last recommended time interval, will cause display problems for applications using embedded fonts and may cause some applications to stop working if they use OpenType fonts. Microsoft also warned that errors in making changes to the Windows registry — as required in one version of the third workaround — could cause serious problems that might require a complete reinstallation of Windows.
0-day vulnerabilities in Windows without sane information about attacks and patches seem like a virus that infected Microsoft in 2020. Is not it?