logo

Threat Advisories Documents

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Microsoft ADV200006 Type 1 Font Parsing Remote Code Execution Vulnerability

Microsoft ADV200006 Type 1 Font Parsing Remote Code Execution Vulnerability

Summary

Microsoft published Security Advisory ADV200006 on 3/24/2020 describing a zero-day remote-code execution vulnerability using the Adobe Type Manager Library. Microsoft described "limited targeted Windows 7 based attacks."

The Adobe library is a native implementation of Adobe Type Manager within Windows, added in Windows 2000/XP. 1

From the Microsoft Security advisory:

"Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane."

"Please Note: The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015."

Microsoft reported "...limited targeted Windows 7 based attacks.." and "...is not aware of any attacks against the Windows 10 platform."

Microsoft considers the threat to be low for Windows 10 systems due to mitigations added in 2015:

The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below."

Detection

Reliable signatures specific to this threat are not yet available. Some customers have considered queries related to modload:atmfd.dll, however this DLL is loaded by the ntoskrnl.exe on boot, and the exclusions required to prevent false positives from these queries may also cause false negatives. Other VMWare Carbon Black Advanced Threats and other signatures are intended to broadly cover the attack process, in order to stop an attack at multiple points in the attackers kill chain. In this case, Carbon Black recommends close monitoring of post-exploitation signatures for any Windows systems before Windows 10.

On Windows 10/2016 Systems prior to version 1703, you may want to monitor the execution of fontdrvhost.exe. fontdrvhost.exe is the user-mode application container that render fonts. Looking for anomalous modloads and process executions from fontdrvhost.exe would be a recommendation on older Windows 10 systems impacted by this advisory.

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

Recommendation

CB Recommends following Microsoft's mitigations to disable ATMFT on Windows 8.1 and below using either the rename or registry method provided by Microsoft.

NOTE: This vulnerability severely impacts older, no longer supported operating systems. If you have Windows 7 or Windows 2008R2 Systems within your network you should be working to migrate these machines to newer, supported operating systems so you can benefit from new security features and OS security patches.

Mitigations

Microsoft provided five recommended mitigations, with specifics available at the Microsoft Security Advisory ADV200006:

  • Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class
    1. Disable the Preview Pane and Details Pane in Windows Explorer
    2. Disable the WebClient service
  • Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases
    1. Rename ATMFD.DLL
    2. DisableATMFD registry key using a managed deployment script
    3. DisableATMFD registry key manually

"Please note: ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL."

Microsoft does not recommend these mitigations on Windows 10 systems currently supported by Microsoft.

CB Recommends following Microsoft's mitigations to disable ATMFT on Windows 8.1 and below using either the rename or registry method provided by Microsoft.

Mitigation Impact

From Microsoft

"Applications that rely on embedded font technology will not display properly. Disabling ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change."

Identification and Mitigation of affected systems

VMWare Carbon Black TAU has published a PowerShell script to detect and mitigate this vulnerability in our public ‘tau-tools’ GitHub repository: ADV200006. This script will report and identify if the DisableATMFD registry key is set and optionally set mitigating keys. It can be leveraged with any endpoint configuration management tools that support PowerShell along with LiveResponse.

1: https://twitter.com/rosyna/status/1242156545346916352

0 Kudos
Article Information
Author:
esullivan
Creation Date:
‎04-13-2020
Views:
9736
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.