This article is more than 1 year old
It's 2020 and hackers are still hijacking Windows PCs by exploiting font parser security holes. No patch, either
Spreading in the wild, no vaccine, people told to distance themselves from dodgy sources... sounds familiar
Hackers are commandeering victims' Windows PCs by exploiting at least one remote-code-execution flaw in the Adobe Type Manager Library included with the Microsoft operating system. No patches are available right now.
Redmond today warned of two flaws, not yet assigned CVE numbers, present in the font parser – and at least one has been exploited in a "limited number of attacks" to hijack vulnerable computers. The only way to prevent trivial automatic exploitation is to disable the preview and details panes in Windows Explorer, though that will not kill off the bugs entirely unless you disable the library.
That "limited number" of victims may well change in the near future as it's likely exploit developers will hunt for the flaws to leverage now that the word is out.
All supported versions of Windows are affected.
Thought you were done after Tuesday's 115-fix day? Not yet: Microsoft emits SMBv3 worm-cure crisis patchREAD MORE
Adobe, for what it's worth, said this is Microsoft's problem. "This library is exclusively supported by Microsoft, and customers using Adobe products are not at risk," Adobe helpfully told The Register.
To exploit the bugs, a miscreant can include a malformed multi-master font in a document, and send it to a victim. When the victim's PC tries to view the file, either in an application or in a preview pane, the operating system passes the embedded font, in Adobe Type 1 PostScript format, to the Adobe Type Manager Library, which mishandles the corrupt data and causes arbitrary code smuggled within the font to execute.
We're told Windows 10 with AppContainer setup will at least contain any intrusion to a single application sandbox, rather than allow the malicious code to gain full access to a box.
One mitigation is to disable the Windows Explorer Preview Pane and Details Pane. This can be done through the Advanced Settings option in the Organize>Layout menu. Note that this will only prevent exploitation during preview. Opening a poisoned file in an application will still trigger exploitation.
To really close off the flaw, you will also need to disable the WebClient service and/or rename the library, ATMFD.DLL, so that it cannot be loaded. Those with Windows 8.1 or earlier can also edit the registry to disable the vulnerable components. Check the Microsoft advisory for the pitfalls associated with these workarounds.
Otherwise, it is going to be a bit of a wait to get a fix for this. From the sound of things, Redmond is waiting until the next Patch Tuesday, scheduled for April 14, more than three weeks from now, to address the flaws. If a patch is issued now, exploit developers will be able to reverse engineer changes to the code to figure out how to attack those unable to apply a fix immediately. And given that businesses, tidied up with the coronavirus pandemic, may not be able to install patches across their fleets right now, outside of the Patch Tuesday cycle, Microsoft has decided to keep its cards close to its chest.
Should the number of attacks expand significantly beyond a "limited number," we could see an emergency out-of-band update released sooner, or at least you'd hope so. ®