Software

OSes

It's 2020 and hackers are still hijacking Windows PCs by exploiting font parser security holes. No patch, either

Spreading in the wild, no vaccine, people told to distance themselves from dodgy sources... sounds familiar


Hackers are commandeering victims' Windows PCs by exploiting at least one remote-code-execution flaw in the Adobe Type Manager Library included with the Microsoft operating system. No patches are available right now.

Redmond today warned of two flaws, not yet assigned CVE numbers, present in the font parser – and at least one has been exploited in a "limited number of attacks" to hijack vulnerable computers. The only way to prevent trivial automatic exploitation is to disable the preview and details panes in Windows Explorer, though that will not kill off the bugs entirely unless you disable the library.

That "limited number" of victims may well change in the near future as it's likely exploit developers will hunt for the flaws to leverage now that the word is out.

All supported versions of Windows are affected.

Thought you were done after Tuesday's 115-fix day? Not yet: Microsoft emits SMBv3 worm-cure crisis patch

READ MORE

Adobe, for what it's worth, said this is Microsoft's problem. "This library is exclusively supported by Microsoft, and customers using Adobe products are not at risk," Adobe helpfully told The Register.

To exploit the bugs, a miscreant can include a malformed multi-master font in a document, and send it to a victim. When the victim's PC tries to view the file, either in an application or in a preview pane, the operating system passes the embedded font, in Adobe Type 1 PostScript format, to the Adobe Type Manager Library, which mishandles the corrupt data and causes arbitrary code smuggled within the font to execute.

We're told Windows 10 with AppContainer setup will at least contain any intrusion to a single application sandbox, rather than allow the malicious code to gain full access to a box.

One mitigation is to disable the Windows Explorer Preview Pane and Details Pane. This can be done through the Advanced Settings option in the Organize>Layout menu. Note that this will only prevent exploitation during preview. Opening a poisoned file in an application will still trigger exploitation.

To really close off the flaw, you will also need to disable the WebClient service and/or rename the library, ATMFD.DLL, so that it cannot be loaded. Those with Windows 8.1 or earlier can also edit the registry to disable the vulnerable components. Check the Microsoft advisory for the pitfalls associated with these workarounds.

Otherwise, it is going to be a bit of a wait to get a fix for this. From the sound of things, Redmond is waiting until the next Patch Tuesday, scheduled for April 14, more than three weeks from now, to address the flaws. If a patch is issued now, exploit developers will be able to reverse engineer changes to the code to figure out how to attack those unable to apply a fix immediately. And given that businesses, tidied up with the coronavirus pandemic, may not be able to install patches across their fleets right now, outside of the Patch Tuesday cycle, Microsoft has decided to keep its cards close to its chest.

Should the number of attacks expand significantly beyond a "limited number," we could see an emergency out-of-band update released sooner, or at least you'd hope so. ®

Send us news
27 Comments

Microsoft gets new Windows boss as Start Menu man Parakhin 'to explore new roles'

More MS moves just a week after new AI unit and other changes announced

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Microsoft drags Windows Subsystem for Android into the trash

Amazon Appstore tieup fizzles out, too

Windows Format dialog waited decades for UI revamp that never came

'Temporary' isn't always

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

EU antitrust cops probe Microsoft ties between Entra ID and 365 services

Google claims rival has made an 'art and science' out of licensing

Microsoft defends barging in on Chrome with pop-up ads pushing Bing, GPT-4

We thought you people wanted choice, IT colossus sniffs

Developers beware, Microsoft's domain shakeup is coming soon

If you don't pay attention, your lovely little Teams app will stop working

The end of classic Outlook for Windows is coming. Are you ready?

Microsoft prepares to replace an old faithful with something shiny, new, and lacking key features. Sound familiar?

Updates are plenty but fans are few in Windows 11 land

Copilot failed to shift the dial. Could Moment 5 and upcoming invitations do the trick?

Microsoft hits Inflection point, peels off top personnel to form AI division

FYI, FTC: Karén Simonyan, DeepMind co-founder Mustafa Suleyman absorbed rather than acquired

Licensing labyrinth for Power Apps and Dynamics 365 must be clarified, warns expert

Rules still unclear for Microsoft users making potentially costly decisions on enterprise applications