Protecting against the Windows Adobe Type Manager (ATM) Zero Day Vulnerabilities

Update: 15th April 2020
Microsoft have now issued updates for both of the Adobe Type Manager vulnerabilities. These updates apply to Windows 10, Windows 8.1 and Windows 7 (and their Windows Server equivalents):

Please install these updates when you can. Thank you.

A patch for these vulnerabilities is expected at the next scheduled collection of updates to be released on the 14th of April. Until then be aware of attempts to have you open unexpected or suspicious files via clicking links on websites/within emails or opening email attachments. If you are using any version of Windows earlier than Server 2016, 2019 or Windows 10 (Version 1703 or earlier), evaluate if you wish to enable the workarounds until a patch is released. This vulnerability is of critical severity for Windows 8.1 and Windows 7, please be certain your staff are security aware not to open unknown or suspicious attachments/files.

A micro-patch is now available for Windows 7 and Windows 8.1 (including their Windows Server equivalents):

Update: 30th March 2020
0Patch have released a micro-patch for these vulnerabilities that is free of charge during these uncertain times (some micro-patches are usually paid for services from 0Patch).

The patch works by blocking Windows from using the common code path used by Windows Explorer, Font Viewer, and applications using Windows-integrated font support to display Adobe Type 1 PostScript fonts. The micro-patch does not protect against local attacks but does block the more important remote attack vector.

The micro-patch is available for Windows versions including Windows 7 and Windows Server 2008 R2 with ESU, Windows 8.1 and Windows Server 2012, both 32-bit and 64-bit:

A YouTube video of the micro-patch in action is available from the following link:

Thank you.

Update: 28th March 2020
As detailed in Microsoft’s security advisory, these zero day (defined) vulnerabilities are of critical severity for Windows 8.1 and Windows 7. Please make certain your staff/users are security aware and strongly advise them not to open unknown or suspicious attachments/files. This is particularly severe when staff/users are likely working from home at this time and the security of systems they are using may not benefit from the firewalls/IPS and proxy servers of their primary work location. Staff/users may even be using their personal laptop/desktops to access corporate data during the current COVID-19 lockdown period.

If possible, please evaluate and implement the appropriate workarounds in Microsoft’s security advisory (which mitigate the vulnerabilities but have the least impact on your day to day work/activities) while the appropriate updates are not yet available.

Thank you.

Original Post:
I hope everyone is staying safe under the current circumstances.

Yesterday Microsoft published a security advisory describing the use of vulnerabilities within the Windows Adobe Type Manager (ATM) library by attackers to run unauthorised code on victim systems.

Why should these vulnerabilities be considered important?
If an attacker can persuade you to open a document (a document, you may have been expecting but the email it came in doesn’t look or sound quite right or by clicking a potentially useful link) they may be successful in remotely running code of their choice on your system.

According to Kaspersky a more likely scenario would be “attackers also can exploit this vulnerability through an extension to the HTTP called Web Distributed Authoring and Versioning (WebDAV), which allows users to collaborate on a document. Microsoft suggests disabling the WebClient service, which allows you to use this feature”

For the attack to be successful you must be using a version of Windows older than Windows Server 2016 (Version 1703 or earlier), 2019 or Windows 10 (Version 1703 or earlier). If your version of Windows is newer as per Microsoft’s analysis : ”The possibility of remote code execution is negligible and elevation of privilege is not possible”.

How can I protect my organisation or myself from these vulnerabilities?
Until an update is made available, be aware and don’t open email attachments that look suspicious or click on links (from emails, while web browsing or via instant message clients) that you weren’t expecting or are suspicious.

If you are using an older version of Windows, consider implementing the workarounds provided by Microsoft in their advisory but please be aware of their potential impact to routine functionality before more widely enabling such workarounds:

Thank you and stay safe everyone both inside and outside of cyberspace.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.