Generally, Microsoft announces vulnerabilities when they release patches on their (in)famous Patch Tuesday releases. That usually means bad actors only have a chance to investigate and exploit a vulnerability after the patch is released, leaving a small window of opportunity to use the vulnerability in attacks before systems have the patch applied.
On March 22, a 0-day vulnerability was announced that affects supported versions of Windows, including Windows 7. According to Microsoft, this vulnerability has been used in some limited targeted attacks in the wild against Windows 7. Per their advisory, an attacker would need to trick a user into opening a malicious document or viewing it in the Preview Pane of Windows Explorer. At the time of this article, Microsoft plans to release a patch for this vulnerability in April’s Patch Tuesday drop.
This means there is an increased risk over the next few weeks for files delivered via malicious emails. It should also be noted that versions of Windows 10 and the corresponding Server versions experience minimal risk from this vulnerability because the fonts are processed in a user mode AppContainer sandbox, which limits the overall impact.
In the article, Microsoft goes on to recommend three workarounds. Which one you implement will depend on what level of impact your supported end users can tolerate. All of them will limit the ability for a user to view documents in the Preview Pane of Windows Explorer. It should also be noted that the Outlook Preview Pane is NOT included in this vulnerability.
- Disable the Preview Pane and Details Pane. This will prevent the automatic display of Open Type Fonts (OTF).
- Disable the WebClient (WebDAV) service. This will prompt users to confirm before opening programs from the internet, adding another layer of decision before a file is opened. Note that this workaround will affect any WebDAV shares and render them unavailable.
- Rename ATMFD.dll on versions of Windows before version 1709 (the dll is not present on versions newer than this). This workaround may cause issues with any applications that use OTF.
The workarounds can vary from system to system, and you can view the individual steps in the advisory. Consider any effects these may have on your customers before you enable any workaround. If you would like to test and execute the “rename ATMFD” workaround, our Head Automation Nerd Marc-Andre Tanguay has built an AMP for you to download and review. Of course, you should run through the execution and effects on a test system before rolling out to your end users. Remember, this .dll does not exist on Windows 10 version 1709 and above.
You should also consider other mitigations to protect against any opportunistic bad actors.
As with any threats that must be delivered to and accessed by an end user, it is important to ensure your other layers of protection are in place and current:
- Email protection blocks malicious emails and files and is the frontline defense to help prevent threats from making it to an end user.
- User awareness helps make sure users are trained not to click on attachments or download files they were not expecting. Have them be mindful of typos and odd or unfamiliar email addresses in the emails they receive and think twice before opening unsolicited attachments.
- Endpoint protection helps ensure your endpoint protection is up-to-date and running, and that all components (such as behavioral detection) are enabled.
We will wait to see whether Microsoft releases an out-of-band patch or waits until the April Patch Tuesday to fix this vulnerability. At that time, you would want to undo any workarounds you put in place to restore the full experience to your end users (the instructions to undo these workarounds are also included in the advisory). If you are still running Windows 7, bear in mind that unless you have purchased an ESU agreement, you will likely not receive any patches for this vulnerability and should consider upgrading to a supported operating system, as well as ensuring other mitigations are up-to-date and protecting the affected systems.
Let’s stay safe out there!
Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd