Hackers are Exploiting Unpatched Flaws on All Windows Versions – How to Protect Yourself
According to reports from Microsoft Corporation, hackers are exploiting two unpatched zero-day flaws that are present in all its supported versions of Windows operating system; Windows 10, 8.1 and Server 2008, 2012, 2016, 2019 editions, and Windows 7 which Microsoft ended its support in January, 2020.
The two unpatched Remote Code Execution (RCE) vulnerabilities are resident in Windows Adobe Type Manager (ATM) Library. ATM Library is a font parsing software that is used by Windows to display the content of a file in the ‘Preview Pane’, eliminating the need for users to open it. It is also used to parse contents when it is opened with third-party software, and it is used to manage PostScript Type 1 fonts. The flaws are executed when ATM Library “handles a specially-crafted multi-master font – Adobe Type 1 PostScript format,” creating a window for a hacker to launch malicious code that targets systems, prompting users to open a crafted document, or open it in the Preview pane.
There is no clear information on other ways of how these flaws can be triggered, but there is a probability that it can be triggered remotely over a web browser by prompting users to visit a certain page that has malicious fonts. Also, there exists many other ways that attackers can cause harm to victims, and since Microsoft said that the fix is not going to be ready till 14th of April, 2020, users are left with no option but to take protection into their own hands.
Protection from Possible Hack
- Disable WebClient Service: Disabling Windows Webclient service to prevent hackers from exploiting the vulnerability of the Web Distributed Authoring and Versioning (WebDAV) client service.
- Disable the Preview Pane/Details Pane in Windows Explorer: Microsoft advices that disabling the Preview Pane and Details Pane feature that exists in Windows Explorer is the most important way to reduce risk of getting hacked, pending the release of the security patches for the hack.
- Open Windows Explorer, click Organize and then click Layout.
- Clear both the Details pane and Preview pane menu options.
- Click Organize, and then click Folder and search options.
- Click the View tab.
- Under Advanced settings, check the Always show icons, never thumbnails box.
- Close all open instances of Windows Explorer for the change to take effect.
- Disable or Rename ATMFD.DLL: Adobe Type Manager Font Driver (ATMFD.dll) file handles most third-party applications, but disabling it temporarily will go a long way to mitigate the harm that the flaws could cause. To do this, enter the following commands in your command prompt or PowerShell – using administrative access.
For 32-bit system:
cd “%windir%\system32”
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
For 64-bit system:
cd “%windir%\system32”
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
cd “%windir%\syswow64”
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
Andrei – stock.adobe.com