Microsoft published Security Advisory ADV200006 on 3/24/2020 describing a zero-day remote-code execution vulnerability using the Adobe Type Manager Library. Microsoft described "limited targeted Windows 7 based attacks."
The Adobe library is a native implementation of Adobe Type Manager within Windows, added in Windows 2000/XP. 1
From the Microsoft Security advisory:
"Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane."
"Please Note: The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015."
Microsoft reported "...limited targeted Windows 7 based attacks.." and "...is not aware of any attacks against the Windows 10 platform."
Microsoft considers the threat to be low for Windows 10 systems due to mitigations added in 2015:
The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below."
Reliable signatures specific to this threat are not yet available. Some customers have considered queries related to modload:atmfd.dll
, however this DLL is loaded by the ntoskrnl.exe
on boot, and the exclusions required to prevent false positives from these queries may also cause false negatives. Other VMWare Carbon Black Advanced Threats and other signatures are intended to broadly cover the attack process, in order to stop an attack at multiple points in the attackers kill chain. In this case, Carbon Black recommends close monitoring of post-exploitation signatures for any Windows systems before Windows 10.
On Windows 10/2016 Systems prior to version 1703, you may want to monitor the execution of fontdrvhost.exe
. fontdrvhost.exe
is the user-mode application container that render fonts. Looking for anomalous modloads and process executions from fontdrvhost.exe
would be a recommendation on older Windows 10 systems impacted by this advisory.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006
CB Recommends following Microsoft's mitigations to disable ATMFT on Windows 8.1 and below using either the rename or registry method provided by Microsoft.
NOTE: This vulnerability severely impacts older, no longer supported operating systems. If you have Windows 7 or Windows 2008R2 Systems within your network you should be working to migrate these machines to newer, supported operating systems so you can benefit from new security features and OS security patches.
Microsoft provided five recommended mitigations, with specifics available at the Microsoft Security Advisory ADV200006:
ATMFD.DLL
"Please note: ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL."
Microsoft does not recommend these mitigations on Windows 10 systems currently supported by Microsoft.
CB Recommends following Microsoft's mitigations to disable ATMFT on Windows 8.1 and below using either the rename or registry method provided by Microsoft.
From Microsoft
"Applications that rely on embedded font technology will not display properly. Disabling ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change."
VMWare Carbon Black TAU has published a PowerShell script to detect and mitigate this vulnerability in our public ‘tau-tools’ GitHub repository: ADV200006. This script will report and identify if the DisableATMFD registry key is set and optionally set mitigating keys. It can be leveraged with any endpoint configuration management tools that support PowerShell along with LiveResponse.
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.