Priority: High
Executive Summary: Microsoft have revealed details of two vulnerabilities in the Adobe Type Manager Library which are being actively exploited in the wild [1]. The vulnerabilities, which Microsoft have said are being exploited in a “limited” capacity, allow for remote code execution. However, supported versions of Windows 10 with AppContainer setup will contain this execution to an application sandbox, limiting the privileges and capabilities of a successful attack.
Attackers can send targets specially crafted documents which, for example, could exploit the vulnerability when opened or when viewed in the Windows Preview pane.
Although these vulnerabilities are in the Adobe Type Manager Library, it is exclusively supported by Microsoft, and is not related to Adobe products [2].
Despite the critical severity of the security flaws, Microsoft are currently planning on releasing an update to address the vulnerability in their next update, scheduled for Tuesday 14th April. In the interim, Microsoft have released details on a number of mitigation techniques, including instructions on how to disable the Preview Pane and Details Pane in Windows Explorer, disabling the WebClient service, and renaming ATMFD.DLL on systems where it is present. Further details on implementing mitigations can be found on Microsoft’s Advisory (see Source 1 below).
As these vulnerabilities are being actively exploited in the wild, the best solution appears to be disabling the Preview Pane and Details Pane in Windows explorer on affected systems, as this mitigation has the lowest impact.
Detect: Affected products which do not have mitigations already in place will be vulnerable to exploitation.
Affected Products: The following products are affected by these vulnerabilities:
• Windows 10 for 32-bit Systems
• Windows 10 for x64-based Systems
• Windows 10 Version 1607 for 32-bit Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows 10 Version 1709 for 32-bit Systems
• Windows 10 Version 1709 for ARM64-based Systems
• Windows 10 Version 1709 for x64-based Systems
• Windows 10 Version 1803 for 32-bit Systems
• Windows 10 Version 1803 for ARM64-based Systems
• Windows 10 Version 1803 for x64-based Systems
• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for ARM64-based Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 1903 for 32-bit Systems
• Windows 10 Version 1903 for ARM64-based Systems
• Windows 10 Version 1903 for x64-based Systems
• Windows 10 Version 1909 for 32-bit Systems
• Windows 10 Version 1909 for ARM64-based Systems
• Windows 10 Version 1909 for x64-based Systems
• Windows 7 for 32-bit Systems Service Pack 1
• Windows 7 for x64-based Systems Service Pack 1
• Windows 8.1 for 32-bit systems
• Windows 8.1 for x64-based systems
• Windows RT 8.1
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for Itanium-Based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
React: As the mitigations provided by Microsoft have various impacts, ITC recommends that businesses consider the impacts of implementing these mitigations to ensure that it is the right decision based on their circumstances. However, the repercussions of disabling the Preview and Details panes in Windows Explorer should be low, as this only prevents Windows Explorer from automatically displaying OTF fonts. Otherwise, businesses may wish to wait until the appropriate security update becomes available, currently scheduled for the 14th of April.
Sources:
[1] https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006#march-23-flaw
[2] https://www.theregister.co.uk/2020/03/23/microsoft_issues_red_alert/