Bewarethere is a new, critical and unpatched vulnerability that affects All Windows Versions. Exploit code is also publicly available! You should take immediate measures 

On 03/23/2020, Microsoft issued new security warning that could impact many Windows users because of two new critical, unpatched zero-day vulnerabilities. (Link to Microsoft's warning: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006)

According to Microsoft, both unpatched flaws could let hackers remotely take complete control over targeted computers and could be used in targeted attacks impacting all supported versions of the Windows operating system (including up to Windows 10 and Server 2019 editions).

Both vulnerabilities reside in the Windows Adobe Type Manager Library, a font parsing software used by Windows Explorer to display the content of a file in the 'Preview Pane' or 'Details Pane' without having users to open it.

Microsoft is working on a patch, that could be released to all Windows users as part of its next Patch Tuesday updates, on 14th April. The only solution is to apply a workaround. You should disable those features and its related DLL into the Operating System. Here is how to disable Preview Pane to mitigate this vulnerability.

HOWTO: For Organizations via GPO

NB: If you enable this policy setting the Preview Pane in File Explorer is hidden and cannot be turned on by the user. If you disable or do not configure this setting, the Preview Pane is not hidden by default and can be displayed by the user.

Step 1:

Policy path: Windows Components\File Explorer\Explorer Frame Pane
Scope: User
Supported on: At least Windows Vista
Registry settings:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoReadingPane

Step 2:

Policy path: User Configuration\Windows Settings\Registry
Scope: Local Computer
Supported on: At least Windows Vista
Registry settings:
HKEY_LOCAL_Machine\SYSTEM\CurrentControlSet\services\WebClient
Value: start = 4

HOWTO: For individual computers

Step 1: Disable the Preview Pane and Details Pane feature: Open Windows Explorer, click Organize and then click Layout;
Clear both the Details pane and Preview pane menu options;
Click Organize, and then click Folder and search options;
Click the View tab;
Under Advanced settings, check the Always show icons, never thumbnails box;
Close all open instances of Windows Explorer for the change to take effect.

Step 2: Disable Windows WebClient service: Press the Windows Key and R, type Services.msc and then click OK;
Right-click WebClient service and select Properties;
Change the Startup type to Disabled. If the service is running, click Stop;
Click OK and exit the management application.

Please note that it is still possible for remote attackers to run programs located on the targeted user's computer, but they can't do it without the user intervention. Users, in this scenario, are prompted for confirmation before opening arbitrary programs. And that creates the need for an awareness campaign towards your users to instruct them on being extra careful to any click they do.

Step 3: Rename or Disable ATMFD.DLL
Rename Adobe Type Manager Font Driver (ATMFD.dll) file to disable the embedded font technology to be used by 3rd-party apps (this could cause these apps to stop working. Enter the following commands at an administrative command prompt:

32-bit system

  • cd "%windir%\system32" 
  • takeown.exe /f atmfd.dll 
  • icacls.exe atmfd.dll /save atmfd.dll.perm32 
  • icacls.exe atmfd.dll /grant Administrators:(F) 
  • rename atmfd.dll atmfd.dll.orig32 

64-bit system

  • cd "%windir%\system32" 
  • takeown.exe /f atmfd.dll 
  • icacls.exe atmfd.dll /save atmfd.dll.perm32 
  • icacls.exe atmfd.dll /grant Administrators:(F) 
  • rename atmfd.dll atmfd.dll.orig32 
  • cd "%windir%\syswow64" 
  • takeown.exe /f atmfd.dll 
  • icacls.exe atmfd.dll /save atmfd.dll.perm64 
  • icacls.exe atmfd.dll /grant Administrators:(F) 
  • rename atmfd.dll atmfd.dll.orig64 

Step 4: Reboot

Our experts created the PowerShell script to temporarily mitigate the 0day Windows RCE Vulnerability. It will execute all the steps mentioned above automatically after your approval. 

DOWNLOAD THE SCRIPT

Manfredi Blasucci

Written by Manfredi Blasucci

Passionate about IT security, with a background of a PCI Qualified Security Assessor (PCI QSA) and IT Auditor. I dedicated most of my career to the study, design, and implementation of security solutions, writing policies, and procedures, implementing operational monitoring infrastructures and resolving Customer IT issues. This is what I like to do!

Comments