Shulou(Shulou.com)05/31 Report--

This article shows you how to carry out Microsoft Windows Type 1 font processing remote code execution vulnerability ADV200006 notice, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article hope you can get something.

Document information number QiAnXinTI-SV-2020-0009 keyword font Adobe Type 1 PostScript ADV200006 release date March 24, 2020 update date March 24, 2020 TLPWHITE analysis team Qianxin threat Intelligence Center announcement background

On March 24, 2020, Microsoft officially issued a non-routine warning notice. The announcement describes two vulnerabilities in the Windows Adobe Type Manager library's module for handling Adobe Type 1 PostScript fonts, which could lead to code execution, and interestingly, one of the tools leaked by Hacking Team in 2015 was also caused by this module. It is known from the announcement that this vulnerability has been used in a limited number of wild attacks, and attackers can exploit this vulnerability in a number of ways, such as inducing users to open specially crafted documents or performing vulnerabilities by viewing them in the Windows preview pane. As Microsoft will not fix the vulnerability until the patch day later in April, Qianxin threat Intelligence Center issued the notice to remind users to take precautions through appropriate mitigation measures.

The Red Raindrop team of the Qian Information threat Intelligence Center has confirmed the existence of the vulnerability and maintained its attention, and more details and progress will be kept informed.

Vulnerability summary vulnerability name Microsoft WindowsType 1 font remote code execution vulnerability

Threat type code execution threat level critical vulnerability IDADV200006 exploits scenarios an attacker can construct a malicious font file to induce a user to open a specially crafted document or view it in the Windows preview pane, which could lead to arbitrary code execution. Affected system and application version Windows 10 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1709 for 32-bit Systems

Windows 10 Version 1709 for ARM64-based Systems

Windows 10 Version 1709 for x64-based Systems

Windows 10 Version 1803 for 32-bit Systems

Windows 10 Version 1803 for ARM64-based Systems

Windows 10 Version 1803 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows 8.1 for 32-bit systems

Windows 8.1 for x64-based systems

Windows RT 8.1

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for Itanium-Based Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows Server 2016

Windows Server 2016 (Server Core installation)

Windows Server 2019

Windows Server 2019 (Server Core installation)

It should be noted that in Win10-related operating systems, especially after 1703, as the relevant font processing is moved to the user-level fontdrvhost.exe, vulnerability exploitation will only lead to code execution and limited privilege escalation of AppContainer sandboxie.

Vulnerability description

Two vulnerabilities lie in the Adobe Type 1 PostScript font processing module of the Adobe Type Manager library, which can lead to code execution, and the technical details are currently unknown.

Impact area assessment

This vulnerability mainly affects the font processing of Windows. At present, it is suspected to be limited targeted utilization, considering the order of magnitude of related devices, the potential threat is greater.

Disposal suggested repair method

At present, there is no relevant patch released, Microsoft currently provides a number of related mitigation measures, but the relevant operations will have some adverse consequences, whether to use it or not needs to be judged in combination with its own business.

1. Disabling the preview pane and details pane in Windows Explorer can be used to prevent relevant malicious OTF fonts from being loaded by the Windows preview window, but cannot prevent authenticated local users from running special programs to exploit this vulnerability.

Windows Server 2008 Magic Windows Server 7 Magi Windows Server 2008 R2 Magi Server 2012 Magi Windows Server 2012 R2 and Windows 8.1 disable it by doing the following

Windows Server 2016 Magi Windows 10 and Windows Server 2019 are disabled by

Undo the above actions by

Windows Server 2008 Magic Windows 7 Magic Windows Server 2008 R2 Magi Windows Server 2012 Magi Windows Server 2012 R2 and Windows 8.1

Windows Server 2016 technology windows 10 and Windows Server 2019

two。 Disabling the WebClient service and disabling the WebClient service can block the most likely remote attack medium. after applying this alternative, a remote attacker who successfully exploits this vulnerability may still cause a program located on the target user's computer or on the local area network (LAN) to run, but the user will be prompted for confirmation before opening any program.

Disable the WebClient service by

Undo related actions

3. The version after renaming the corresponding vulnerability module ATMFD.DLL,WIN10 1709 does not have this DLL.

Rename the vulnerability dll with the following command.

A 32-bit system with administrator privileges to run the following command

Restart the system

64-bit system with administrator privileges to run the following command

Restart the system

Undo the rename operation with the following command.

A 32-bit system with administrator privileges to run the following command

Restart the system

64-bit system with administrator privileges to run the following command

Restart the system

4. Optional operation of the Windows 8.1 or earlier operating system (disable ATMFD).

The corresponding operation can be achieved by setting the registry.

Undo the above operation

The above content is how to advertise the Microsoft Windows Type 1 font handling remote code execution vulnerability ADV200006. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.