Attackers exploiting font parsing code vulnerabilities as Windows Defender falters

Today, Microsoft issued a security advisory stating that the company "is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library." There are reportedly two remote code execution vulnerabilities in all supported versions of Windows. These vulnerabilities are the result of the Windows Adobe Type Manger Library improperly handling the Adobe Type 1 PostScript format. If an attacker can get a user to open a specially crafted document or view it in the Windows Preview pane, the attacker can remotely run malware on the user's device.

The vulnerability currently has no fix, but Microsoft says it is working on one. Unfortunately, it seems that it will be at least a few weeks until said fix is available. TechCrunch reached out to a Microsoft spokesperson who suggested that the fix would appear next Update Tuesday, which is April fourteenth. The severity of the vulnerabilities is marked as critical in the security advisory, which is Microsoft's highest severity rating, so hopefully we'll see a fix before Update Tuesday.

The security advisory suggests three mitigation strategies that can be taken until a fix is made available. The first of these is disabling the Preview and Details Panes in Windows Explorers so malicious OTF files won't be automatically displayed. That said, this measure will not prevent a user from directly opening said files. Further mitigation involves disabling of the WebClient service, which blocks "the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service." The most drastic strategy is renaming ATMFD.DLL, which is the driver causing the vulnerabilities. However, renaming the file will break proper font presentation in some application and cause some other application to stop working altogether. Changing the registry can also be risky business. Full instructions for these mitigation measures are included in the security advisory.

Now is not a good time for attackers to be taking advantage of these vulnerabilities as a recently introduced Windows 10 bug can cause Windows Defender to seemingly not scan files or fail scans altogether. This bug seems to be present in Windows Defender version 4.18.2003 and newer. The bug has been reported in the Microsoft forums as well as multiple Reddit posts, but Microsoft has yet to acknowledge it.

The post Attackers exploiting font parsing code vulnerabilities as Windows Defender falters appeared first on The Tech Report.