Microsoft released a security advisory on a zero-day remote code execution (RCE) vulnerability affecting Windows operating systems. The vulnerability is found in an unpatched library.
The vulnerability comprises two RCE flaws found in Adobe Type Manager Library (atmfd.dll), a built-in library for the Adobe Type Manager font management tool in Windows. The library is used to render fonts using the Adobe Type 1 PostScript format, the mishandling of which results in a vulnerability.
Threat actors can exploit the vulnerability in a variety of ways, such as luring users into opening a specially crafted document or viewing it in the Windows Preview pane. Upon exploiting the vulnerability, threat actors can run code and perform actions on the user’s system, unbeknown to the user.
Because it can be used for RCE, Microsoft rated the severity of this vulnerability as critical, although the company described the attacks that could exploit it as limited and targeted. All currently supported versions of Windows are affected.
While there is no fix yet, Microsoft recommended mitigations and workarounds in its security advisory, including step-by-step instructions on how to apply them. The workarounds include the following:
Disable the Preview Pane and Details Pane in Windows Explorer. This prevents the automatic display of OpenType fonts (OTFs) in Windows Explorer and the viewing of malicious files. However, it doesn’t stop local, authenticated users from running specially crafted programs that exploit the vulnerability.
Disable the WebClient service. This blocks remote attacks coursed through the Web Distributed Authoring and Versioning (WebDAV) client service. After the application of this workaround, remote attackers can still run programs on a user’ computers or local area network (LAN). But this time, a confirmation will be requested from the user before launching arbitrary programs from the internet.
Rename atmfd.dll through an administrative command prompt. This is not available for Windows 10 version 1709 and subsequent versions.
Users are advised to deploy operating system updates as soon as they are available.
Trend Micro Solutions
Trend Micro users and customers are protected from the exploitation of this vulnerability with the following rule: