View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 23, 2020updated 24 Mar 2020 3:02pm

Two Critical New Windows 0Days Being Actively Exploited – No Patch Yet

Vulnerabilities are in atmfd.dll: a kernel module provided by Windows

By CBR Staff Writer

All currently supported versions of Microsoft Windows (server and desktop) are exposed to two new remote code execution (RCE) vulnerabilities which are being actively exploited in the wild in “limited targeted attacks” — and there’s no patch yet.

The new Windows 0days are in atmfd.dll: a kernel module that is provided by Windows and which provides support for OpenType fonts. (While known, in full, as “Adobe Type Manager Font Driver”, it is Microsoft’s code, not Adobe’s).

Security experts at France’s Orange Cyberdefense said if atmfd.dll was not present on a machine (it is not, apparently, on all) then mitigation was unnecessary. Computer Business Review could not immediately confirm this. Mitigations are urgent. 

Microsoft warned today of the flaws (base CVSS: 10) that “there are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane”.

It has posted a sweeping range of remediation options but suggested that a patch may not be ready until April 14’s “Patch Tuesday”. No credit for the disclosure was given; it was not immediately clear how the RCE’s were identified.

It is not the first time that atmfd.dll has been the cause of security woes: two early January 2018 vulnerabilities disclosed to Microsoft by Google’s Project Zero (CVE-2018-0754CVE-2018-0788) also entailed security flaws in the module: those two CVES (which involved how it handles objects in memory) required local access.

Content from our partners
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion
How enterprises can best prepare for finance digitalisation

New Windows Vulnerability 

Microsoft said (ADV200006): “[The two RCEs exist] when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format…  For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.”

MSFT said: “Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.

Guidance on disabling these panes is available here.

Microsoft is aware of this vulnerability and working on a fix, the company said: “Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.”

See also: “A Sweetheart Deal, Done in Secret”: Intel and Micron Sued Over 3D XPoint

 

 

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU