Last week, as part of the Adobe Type Manager Library (atmfd.dll), two 0-day vulnerabilities were discovered right away, which are already under attack by hackers. This library is used, in particular, for rendering PostScript Type 1 fonts in Windows.
According to a warning from Microsoft, both vulnerabilities allow arbitrary code to be executed remotely, that is, attackers can run their own code on the victim’s system and take various actions on behalf of the user. An attacker can exploit the vulnerability in different ways, for example, he can convince a user to open a specially created document or view it in the Windows Preview panel.
Vulnerable to problems All currently supported versions of Windows and Windows Server are vulnerable (including Windows 10, 8.1 and Server 2008, 2012, 2016 and 2019). Windows 7, whose support was discontinued earlier this year, is also vulnerable.
Since there are no official fixes for these problems, experts at Acros Security, a developer of the 0patch solution, prepared temporary patches (or micropatches). Let me remind you that 0patch is a platform designed just for such situations, that is, fixes for 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.
So far, fixes are available for 64-bit versions of Windows 7 and Windows Server 2008 R2, which do not receive the so-called Extended Security Updates (ESU), available only to paid corporate clients.
Experts remind that for Windows 10 version 1709 vulnerabilities do not pose a big threat, since here parsing of fonts occurs in an isolated space, which complicates the operation of bugs. So micropatches for this OS can not wait. However, in earlier versions of Windows, everything happens in the kernel, giving attackers the ability to execute code with the highest privileges. In this regard, the interim fix as part of 0Patch will soon be available for Windows 7 and Windows Server 2008 R2 with ESU, as well as for Windows 8.1 and Windows Server 2012, both 32-bit and 64-bit versions.
Experts explain on the blog that very little is known about vulnerabilities, so they had to block the problematic functionality.
“With this micropatch, all applications that use Windows GDI for font operations will find that any Adobe Type 1 PostScript fonts render as invalid and not loaded,” writes Mitya Kolsek, head of Acros Security.
In essence, this means that after applying the patch, Windows Explorer will not preview the .PFM and .PFB font files. Symbols will not be displayed in the preview panel, in thumbnails, or in the details panel.