A Microsoft alerta que agentes maliciosos estão a explorar duas vulnerabilidades de execução remota de código de dia zero (RCE) na lib do Adobe Type Manager, ambos os problemas afetam todas as versões suportadas do Windows.
As vulnerabilidades afetam a maneira como a Windows Adobe Type Manager Library multi-master font – Adobe Type 1 PostScript format.
“Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released.” reads the advisory published by Microsoft.
“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.”
Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing guidance to help reduce customer risk until the security update is released. See the link for more details. https://t.co/tUNjkHNZ0N
— Security Response (@msftsecresponse) March 23, 2020
A Microsoft descreve vários cenários de ataque. Por exemplo, os atacantes podem induzir as vítimas a abrir um documento especialmente criado ou visualizá-lo no painel de visualização do Windows.
A boa notícia é que o número de ataques direcionados a explorar as duas falhas do RCE é “limitado”.
A Microsoft anunciou que planeia resolver as falhas com o lançamento da Patch Tuesday do próximo mês, programada para 14 de abril.
“Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.” continues the advisory.
A Microsoft apontou que um ataque bem-sucedido a sistemas executando versões suportadas do Windows 10 só poderia resultar na execução de código no contexto da sandbox do AppContainer afetado com privilégios e recursos limitados.
A Microsoft sugere desabilitar o Painel de Visualização e o Painel de Detalhes no Windows Explorer para reduzir o risco de exploração de ambas as falhas de dia zero.
“Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.” states the advisory.
Outra mitigação consiste em desativar o serviço WebClient, que permite bloquear o vetor de ataque remoto mais provável por meio do serviço de cliente WebDAV (Web Distributed Authoring and Versioning).
“After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet,” Microsoft clarifies.
Outra solução alternativa é renomear a biblioteca real ‘ATMFD.DLL’.