Windows Type 1 Font Parsing RCE Vulnerability - Microsoft ADV200006

On the 23rd of March 2020, Microsoft has released an important security advisory concerning two critical flaws allowing a remote code execution (RCE).

Theses flaws exists in the way that Windows Adobe Type Manager improperly handles some specially crafted fonts.

They can be exploited by the opening of a malicious file containing one of these malicious font. Windows Preview Pane is also an attack vector for this flaw as a preview of a malicious crafted file could also trigger the exploit.

Microsoft has not yet communicated on a probable release date for the patch but has updated its security bulletin.

Microsoft also indicates that this vulnerability has been already exploited in the wild but remains rare and used for targeted attacks.

To the date of 27th March 2020, no public exploit has been released.

Affected systems

RISK MITIGATION

Microsoft has updated his security bulletin on the 27th March 2020 (version 1.5), in order to lower the severity level applied to Windows 10 versions of its OS, from critical to important.

Since Windows 10 1703, every single font is processed within the user-mode context trough “appcontainer” by the “fontdrvhost.exe” which mitigates the impact of the vulnerability.
This means that in case of a successful exploitation of the vulnerability, the malicious code isn’t executed as SYSTEM but within the privileges context of the user. 
Microsoft indicates that machines running Windows 10 presents a negligible risk of an arbitrary remote code execution and that the elevation of privileges is impossible.

Furthermore, this vulnerability has rarely been seen exploited, only on targeted attacks, and apparently not targeting Windows 10. This is the reason why it is not necessary to monitor Windows 10 machines for this vulnerability.

Microsoft also indicated that some malicious codes may be natively blocked by Windows ATP (if activated).

DETECTION

TEHTRIS security team has created and tested rules for the detection of this specific flaw. From now on, the XDR can detect the loading of the libraries impacted by this vulnerability.

Example of a detection alert generated by the “DLL – Vulnerability atmfd.dll”

This detection is made possible by the surveillance of the whole libraries loaded on the system and could lead to a slight reduction of the machine’s performance on which it is activated.
If such a slowdown has not been noted on TEHTRIS test platforms. We recommend you apply it specifically on machines that are allowed to visualize content from an outside network and running a version prior to Windows 10. It is not necessary to activate it on internal servers and machines dedicated to administration.

In parallel to the setting up of this detection rule, TEHTRIS recommends sensitizing your users to the risks of opening documents from an unknown source.

PROTECTION Through the TEHTRIS XDR Platform

Since TEHTRIS XDR Platform has the capability to detect any exploitation of this vulnerability, it is possible to implement “protection rules” through the “remediation” functionality. The latter should not be applied before having been properly tested for a certain period and on a representative sample of machines in order to reduce the false positives during regression tests.