A new "zero day" vulnerability affects Windows 10 and
not only. Microsoft has detected
in a newsletter that attackers are exploiting
actively a flaw in the operating system – critical level – to take
control of the computers on which it is installed. At the moment not yet issued
a patch to fix the security bug, so all PCs are
potential prey of what has been defined as "limited" attacks
and "targeted".
The problem related to Adobe Type Manager library (ATMFD.DLL),
that Microsoft uses to reproduce PostScript Type 1 fonts within
Windows. The US company has discovered that they are there two RCE holes – remote
code execution, remote code execution – inside the library in
issue that allow attackers to run code on systems and
act as if they were the owners.
All currently supported versions of Windows and
Windows Server are vulnerable – Windows 7, whose
support ended mid-January. "There are different ways in which a
attacker can exploit the flaw, how to get a user to open a
document prepared ad hoc or view it in the Windows preview pane ".
As written at the beginning, a patch not yet
available, but could arrive with Patch Tuesday next month,
currently scheduled for April 14. Not to be excluded for that the company
speed up the pace, several times security corrections have been distributed to the
outside the canonical timing. Microsoft has since released a series of actions
to mitigate the problem:
- Disable Preview Pane and Detail Pane in
Windows Explorer - Disable the WebClient service
- Rename ATMFD.DLL
The first measure prevents you from automatically displaying i
OpenType fonts, preventing certain types of attack. Implement it simple: open
File Explorer, click on the View tab, remove the selection from
Preview pane and Detail pane. Then click on Options (on the right
screen), then on the Display tab and in the "Settings
Advanced "select" Always show icons, never previews ". Then close
all open instances of File Explorer for the change to take effect.
Disabling the WebClient service blocks attack vectors that attackers usually use
to take advantage of remote exploits. There for does not close all doors and it could
create some problems to the user experience, with the need to confirm
opening arbitrary programs from the Internet. Microsoft has stated that disabling WebClient prevents it
the transmission of "Web Distributed Authoring and Versioning", also blocking
the start of all services that explicitly depend on WebClient e
log error messages in the system log.
Finally, change the name to ATMFD.DLL (library not present in Windows 10 version 1709 and
subsequent) leads to display problems in applications that
take advantage of integrated fonts and may prevent some apps from working
if they use OpenType fonts. In its bulletin Microsoft also talks about acting on
registry, but a complex operation that could lead, if not
done properly, the total reinstallation of Windows.
