PDQ.com mobilePDQ.com desktop
Support

ADV200006: Font Parsing Vulnerabilities

Brett PurcellBrett Purcell
·

In case these last weeks haven’t been quite stressful enough for all you sysadmins out there, we’ve got a brand new security vulnerability to look out for. Microsoft recently published ADV200006, which addresses a neat little trick that allows remote code to be executed on your machines without you even needing to open the malicious file. Fortunately, this is unlikely to severely affect any newer operating systems, including Windows 10 and Server versions 2016 and later. We’re not all lucky enough to be free of the baggage of Windows 7 and older servers, though, and if you’ve still got some update-challenged servers or workstations hanging around, this one’s for you.

How Does It Work?

ADV200006 works by leveraging the Windows Adobe Type Manager Library. A font can be created that will be parsed incorrectly by this library and execute code when loading this text. This isn’t just limited to when the document containing this malicious font is intentionally opened, either. Using the preview pane in Windows Explorer, this font can be loaded, and the code executed without you or your users even realizing you’ve done anything.

How To Fix It

Microsoft has said that they are currently working on a fix for this vulnerability, which they anticipate being released in a future Patch Tuesday. In the meantime, though, they’ve offered a few possible workarounds to mitigate the issue. Two of these options will prevent the vulnerability from the preview pane, but will still leave you vulnerable if you open the document. The third option will protect you from this vulnerability even if you do open a document that has that malicious font in it. It does this by renaming the .dll file responsible for the vulnerability, and in most cases, this will not affect your performance or usability. Microsoft has been kind enough to offer a couple of scripts - one for 32-bit OSes and one for 64-bit OSes - to do this for us. The scripts are very similar; the 64-bit one just includes an extra file that isn’t present on 32-bit installations.

32-bit Mitigation:
cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

64-bit Mitigation:
cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
cd "%windir%\syswow64"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

Once that script has run, just restart the system and you’re good to go. Here’s what a PDQ Deploy package for this might look like. You’ll want to let the 32-bit step run on both 32-bit and 64-bit machines, and limit the 64-bit step to just 64-bit targets.

Of course, you’ll also be wanting to undo that renaming at some point, either if things aren’t working out quite right for you, or once this gets patched in an update, so they’ve given us some options for undoing it as well. Like the original, the 64-bit version is the same as the 32-bit one just with a few extra steps added on.

32-bit Undo:
cd "%windir%\system32"
rename x-atmfd.dll atmfd.dll
icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"
icacls.exe . /restore atmfd.dll.acl

64-bit Undo:
cd "%windir%\system32"
rename x-atmfd.dll atmfd.dll
icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"
icacls.exe . /restore atmfd.dll.acl
cd "%windir%\syswow64"
rename x-atmfd.dll atmfd.dll
icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"
icacls.exe . /restore atmfd.dll.acl

Once again, just restart the system and everything is back to normal. Here’s what a PDQ Deploy package to take care of this would look like. Again you’ll want to let the 32-bit step run on both 32-bit and 64-bit computers, and just limit the 64-bit step to only your 64-bit targets.

Since Microsoft does not recommend doing this on Windows 10 systems, we’ve filtered out Windows 10 on each package, along with Server versions 2016 and 2019. Even though the workaround here requires a reboot to be effective, we haven’t put a reboot step in these packages to avoid accidentally upsetting your users, but you can either add a reboot step at the end or rely on your existing reboot schedule to take care of finishing things up.

Ready to get started?

This round is on us!
Start a Trial

Don't miss the next post!

Dell BIOS Update : Deploying Remotely

Flashing Dell BIOS with PDQ Deploy