Stories
Slash Boxes
Comments

SoylentNews is people

Windows Code-Execution Zeroday is Under Active Exploit, Microsoft Warns

posted by martyb on Wednesday March 25 2020, @03:07AM   Printer-friendly
from the Bummer-of-a-birthmark,-Hal dept.

upstart writes in with an IRC submission for SoyCow9451:

Windows code-execution zeroday is under active exploit, Microsoft warns:

Attackers are actively exploiting a Windows zero-day vulnerability that can execute malicious code on fully updated systems, Microsoft warned on Monday.

The font-parsing remote code-execution vulnerability is being used in "limited targeted attacks," the software maker said in an advisory published on Monday morning. The security flaw exists in the Adobe Type Manager Library, a Windows DLL file that a wide variety of apps use to manage and render fonts available from Adobe Systems. The vulnerability consists of two code-execution flaws that can be triggered by the improper handling of maliciously crafted master fonts in the Adobe Type 1 Postscript format. Attackers can exploit them by convincing a target to open a booby-trapped document or viewing it in the Windows preview pane.

"Microsoft is aware of limited, targeted attacks that attempt to leverage this vulnerability," Monday's advisory warned. Elsewhere the advisory said: "For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities."

Until a patch becomes available, Microsoft is suggesting users use one or more of the following workarounds:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient service
  • Rename ATMFD.DLL, or alternatively, disable the file from the registry

[...] Monday's advisory provides detailed instructions for both turning on and turning off all three workarounds. Enhanced Security Configuration, which is on by default on Windows Servers, doesn't mitigate the vulnerability, the advisory added.

[...] The phrase "limited targeted attacks" is frequently shorthand for exploits carried out by hackers carrying out espionage operations on behalf of governments. These types of attacks are usually limited to a small number of targets—in some cases, fewer than a dozen—who work in a specific environment that's of interest to the government sponsoring the hackers.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Windows Code-Execution Zeroday is Under Active Exploit, Microsoft Warns | Log In/Create an Account | Top | 33 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Snotnose on Wednesday March 25 2020, @04:06AM (8 children)

    by Snotnose (1623) on Wednesday March 25 2020, @04:06AM (#975326)

    Ok, I know how to rename a dll. How do I do the other 2 things they recommend?

    --
    My ducks are not in a row. I don't know where some of them are, and I'm pretty sure one of them is a turkey.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 1, Informative) by Anonymous Coward on Wednesday March 25 2020, @04:22AM (4 children)

    by Anonymous Coward on Wednesday March 25 2020, @04:22AM (#975332)

    Webclient can be disabled in services. Run services.mvc, find the webclient service, right-click properties, set it to disabled.

    I think previews are disabled in one of the file explorer menus but I haven't checked.

    • (Score: 0) by Anonymous Coward on Wednesday March 25 2020, @05:58AM

      by Anonymous Coward on Wednesday March 25 2020, @05:58AM (#975348)

      ALT+P or their is a checkbox under "View" in the ribbon. Of course, I have to remember that because somehow Mom keeps toggling it when she tries to print.

    • (Score: 2) by driverless on Wednesday March 25 2020, @06:26AM (1 child)

      by driverless (4770) on Wednesday March 25 2020, @06:26AM (#975350)

      Is there any reason to ever have WebClient enabled? It's one of the long list of Windows bloat I disable immediately after I get access to a system, I've never noticed its absence.

      • (Score: 1, Informative) by Anonymous Coward on Wednesday March 25 2020, @08:09AM

        by Anonymous Coward on Wednesday March 25 2020, @08:09AM (#975372)

        It is mostly used for mounting and accessing WebDAV network locations in Explorer and other programs. If you and none of your applications are using the native WebDAV support, then you don't need it enabled. The other features it enables are used even less, and you should get an error if the API or service doesn't respond properly when disabled.

    • (Score: 0) by Anonymous Coward on Wednesday March 25 2020, @12:06PM

      by Anonymous Coward on Wednesday March 25 2020, @12:06PM (#975415)

      I'm not familiar with that one. Maybe I need to sudo or something? Is there a man page for this?

  • (Score: 0) by Anonymous Coward on Wednesday March 25 2020, @11:43AM

    by Anonymous Coward on Wednesday March 25 2020, @11:43AM (#975406)

    The other 2 things...
    1- Unplug the power cable.
    2- Whip yourself with the power cable because you were using Windows.

  • (Score: 1, Interesting) by Anonymous Coward on Wednesday March 25 2020, @04:01PM (1 child)

    by Anonymous Coward on Wednesday March 25 2020, @04:01PM (#975509)

    I thought I knew how to rename a .dll but, when I tried on Win7Pro, renaming ATMFD.DLL required "Trusted Installer" permissions, administrator didn't work (for me).

    Thoughts?

    • (Score: 4, Informative) by maxwell demon on Wednesday March 25 2020, @06:27PM

      by maxwell demon (1608) on Wednesday March 25 2020, @06:27PM (#975557) Journal

      What about booting with a Linux CD or DVD, renaming the file, and booting back into Windows?

      --
      The Tao of math: The numbers you can count are not the real numbers.