{"id":6350,"date":"2020-03-25T21:57:19","date_gmt":"2020-03-25T21:57:19","guid":{"rendered":"https:\/\/www.n-able.com\/?p=6350"},"modified":"2021-06-02T17:13:04","modified_gmt":"2021-06-02T16:13:04","slug":"new-0-day-vulnerability-windows-adobe-type-manager-library-exploited-wild","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/it\/blog\/new-0-day-vulnerability-windows-adobe-type-manager-library-exploited-wild","title":{"rendered":"New 0-Day Vulnerability in Windows Adobe Type Manager Library Exploited in the Wild"},"content":{"rendered":"

Generally, Microsoft announces vulnerabilities when they release patches on their (in)famous Patch Tuesday releases. That usually means bad actors only have a chance to investigate and exploit a vulnerability after the patch is released, leaving a small window of opportunity to use the vulnerability in attacks before systems have the patch applied.<\/p>\n

On March 22, a 0-day vulnerability was announced that affects supported versions of Windows, including Windows 7. According to Microsoft, this vulnerability has been used in some limited targeted attacks in the wild against Windows 7. Per their\u00a0advisory<\/a>, an attacker would need to trick a user into opening a malicious document or viewing it in the Preview Pane of Windows Explorer. At the time of this article, Microsoft plans to release a patch for this vulnerability in April\u2019s Patch Tuesday drop.<\/p>\n

This means there is an increased risk over the next few weeks for files delivered via malicious emails. It should also be noted that versions of Windows 10 and the corresponding Server versions experience minimal risk from this vulnerability because the fonts are processed in a user mode AppContainer sandbox, which limits the overall impact.<\/p>\n

In the article, Microsoft goes on to recommend three workarounds. Which one you implement will depend on what level of impact your supported end users can tolerate. All of them will limit the ability for a user to view documents in the Preview Pane of Windows Explorer.\u00a0It should also be noted that the Outlook Preview Pane is NOT included in this vulnerability<\/em>.<\/p>\n

    \n
  1. Disable the Preview Pane and Details Pane. This will prevent the automatic display of Open Type Fonts (OTF).<\/li>\n
  2. Disable the WebClient (WebDAV) service. This will prompt users to confirm before opening programs from the internet, adding another layer of decision before a file is opened. Note that this workaround will affect any WebDAV shares and render them unavailable.<\/li>\n
  3. Rename ATMFD.dll on versions of Windows\u00a0before<\/i>\u00a0version 1709 (the dll is not present on versions newer than this). This workaround may cause issues with any applications that use OTF.<\/li>\n<\/ol>\n

    The workarounds can vary from system to system, and you can view the individual steps in the\u00a0advisory<\/a>. Consider any effects these may have on your customers before you enable any workaround. If you would like to test and execute the \u201crename ATMFD\u201d workaround, our Head Automation Nerd Marc-Andre Tanguay has built an\u00a0AMP<\/a>\u00a0for you to download and review. Of course, you should run through the execution and effects on a test system before rolling out to your end users. Remember, this .dll does not exist on Windows 10 version 1709 and above.<\/p>\n

    You should also consider other mitigations to protect against any opportunistic bad actors.<\/p>\n

    Additional mitigations<\/b><\/h3>\n

    As with any threats that must be delivered to and accessed by an end user, it is important to ensure your other layers of protection are in place and current:<\/p>\n