Adobe Font Manager Library Remote Code Execution Vulnerability

2020-04-14T07:00:00
ID MS:CVE-2020-0938
Type mscve
Reporter Microsoft
Modified 2020-04-14T07:00:00

Description

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.

For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.

The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.

There are several different workarounds in this section. Not all may apply to all networks.

Workaround | Applicability
---|---
Disable the Preview Pane and Details Pane in Windows Explorer | Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class
Disable the WebClient service | Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class
DisableATMFD registry key using a managed deployment script | Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases
DisableATMFD registry key manually | Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases
Rename ATMFD.DLL | Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases

Note: We do not recommend that IT administrators running Windows 10 implement the workarounds described below. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the Mitigation section for more information.

Disable the Preview Pane and Details Pane in Windows Explorer

Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.

To disable these panes in Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1, perform the following steps:

  1. Open Windows Explorer, click Organize , and then click Layout.
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Organize , and then click Folder and search options.
  4. Click the View tab.
  5. Under Advanced settings , check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

To disable these panes in all supported client and server versions of Windows 10, perform the following steps:

  1. Open Windows Explorer, click the View tab.
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Options , and then click Change folder and search options.
  4. Click the View tab.
  5. Under Advanced settings , check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Impact of workaround.

Windows Explorer will not automatically display OTF fonts.

How to undo the workaround.

To re-enable the Preview and Details panes in Windows Explorer for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1:

  1. Open Windows Explorer, click Organize , and then click Layout.
  2. Select both the Details pane and Preview pane menu options.
  3. Click Organize , and then click Folder and search options.
  4. Click the View tab.
  5. Under Advanced settings , clear the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

To re-enable the Preview and Details panes in Windows Explorer for all supported client and server versions of Windows 10, perform the following steps:

  1. Open Windows Explorer, click the View tab.
  2. Select both the Details pane and Preview pane menu options.
  3. Click Options , and then click Change folder and search options.
  4. Click the View tab.
  5. Under Advanced settings , clear the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Disable the WebClient service

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

To disable the WebClient Service, perform the following steps:

  1. Click Start , click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
  2. Right-click WebClient service and select Properties.
  3. Change the Startup type to Disabled. If the service is running, click Stop.
  4. Click OK and exit the management application.

Impact of workaround.

When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the WebClient service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.

How to undo the workaround.

To re-enable the WebClient Service, perform the following steps:

  1. Click Start , click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
  2. Right-click WebClient service and select Properties.
  3. Change the Startup type to Automatic. If the service is not running, click Start.
  4. Click OK and exit the management application.

DisableATMFD registry key using a managed deployment script

Please Note: This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709.

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  1. Create a text file named ATMFD-disable.reg that contains the following text:

    Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "DisableATMFD"=dword:00000001

  2. Run regedit.exe.

  3. In Registry Editor, click the File menu and then click Import.
  4. Navigate to and select the ATMFD-disable.reg file that you created in the first step. ( Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog’s file extension parameters to All Files ).
  5. Click Open and then click OK to close Registry Editor.
  6. Restart the system.

Impact of workaround

Applications that rely on embedded font technology will not display properly. Renaming ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.

How to undo the workaround.

  1. Create a text file named ATMFD-enable.reg that contains the following text:

    Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "DisableATMFD"=dword:00000000

  2. Run regedit.exe.

  3. In Registry Editor, click the File menu and then click Import.
  4. Navigate to and select the ATMFD-enable.reg file that you created in the first step. (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog’s file extension parameters to All Files ).
  5. Click Open and then click OK to close Registry Editor.
  6. Restart the system.

DisableATMFD registry key manually

Please Note: This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the Mitigation section for more information.

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  1. Run regedit.exe as Administrator.
  2. In Registry Editor, navigate to the following sub key (or create it) and set its DWORD value to 1: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD, DWORD = 1
  3. Close Registry Editor and restart the system.

Impact of workaround

Applications that rely on embedded font technology will not display properly. Renaming ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.

How to undo the workaround.

  1. Run regedit.exe as Administrator.
  2. In Registry Editor, navigate to the following sub key and set its DWORD value to 0: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD, DWORD = 0
  3. Close Registry Editor and restart the system.

Rename ATMFD.DLL

Please Note: This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the Mitigation section for more information.

For 32-bit systems:

  1. Enter the following commands at an administrative command prompt:

    cd "%windir%\system32" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll

  2. Restart the system.

For 64-bit systems:

  1. Enter the following commands at an administrative command prompt:

    cd "%windir%\system32"
    takeown.exe /f atmfd.dll
    icacls.exe atmfd.dll /save atmfd.dll.acl
    icacls.exe atmfd.dll /grant Administrators:(F) 
    rename atmfd.dll x-atmfd.dll
    cd "%windir%\syswow64"
    takeown.exe /f atmfd.dll
    icacls.exe atmfd.dll /save atmfd.dll.acl
    icacls.exe atmfd.dll /grant Administrators:(F) 
    rename atmfd.dll x-atmfd.dll
    
  2. Restart the system.

Impact of workaround

Applications that rely on embedded font technology will not display properly. Renaming ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.

How to undo the workaround

For 32-bit systems:

  1. Enter the following commands at an administrative command prompt:

    cd "%windir%\system32"
    rename x-atmfd.dll atmfd.dll
    icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"
    icacls.exe . /restore atmfd.dll.acl
    
  2. Restart the system.

For 64-bit systems:

  1. Enter the following commands at an administrative command prompt:

    cd "%windir%\system32"
    rename x-atmfd.dll atmfd.dll
    icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"
    icacls.exe . /restore atmfd.dll.acl
    cd "%windir%\syswow64"
    rename x-atmfd.dll atmfd.dll
    icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"
    icacls.exe . /restore atmfd.dll.acl
    
  2. Restart the system.

For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.

Version | Fonts Process With
---|---
Windows 10 | fontdrvhost.exe in user mode appcontainer. Installed fonts are still processed in kernel mode
Windows 10 Version 1607/Server 2016 | fontdrvhost.exe in user mode appcontainer. Installed fonts are still processed in kernel mode
Windows 10 1703 | All fonts are processed in fontdrvhost.exe in user mode appcontainer.
Windows 10 1709 | All fonts are processed in fontdrvhost.exe in user mode appcontainer.
Windows 10 1803/Windows Server, version 1803 | All fonts are processed in fontdrvhost.exe in user mode appcontainer.
Windows 10 1809/Server 2019 | All fonts are processed in fontdrvhost.exe in user mode appcontainer.
Windows 10 1903/Windows Server, version 1903 | All fonts are processed in fontdrvhost.exe in user mode appcontainer.
Windows 10 1909/Windows Server, version 1909 | All fonts are processed in fontdrvhost.exe in user mode appcontainer.

For more information, see Mitigating font exploits with AppContainer.