Getty Images/iStockphoto

Microsoft Warns Hackers Targeting Unpatched RCE Windows Flaws

Two zero-day exploits found in Windows platforms are being actively targeted by hackers; a successful remote code execution could allow a hacker to take control of the affected device.

Microsoft is warning organizations that hackers are actively exploiting two zero-day vulnerabilities found in its Windows Adobe Type Manager Library on all supported platforms running server and desktop releases.

A successful remote code execution (RCE) of these flaws would allow an attacker to take control over the device. Hackers are actively targeted legacy platforms, especially Windows 7. The tech giant ended support for those platforms in January 2020.

The two RCE vulnerabilities are found in Windows when the Adobe Type Manager Library “improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format." An attacker could exploit the flaw in multiple ways, including “convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

Ranked as critical by the tech giant, so far, the researcher has seen limited attacks on the flaws. However, Microsoft is still working on a patch, and it may not be available until April 14. For now, Microsoft is providing individual users and organizations with mitigation and workarounds to reduce the risk.

“We appreciate the efforts of our industry partners and are complying with a seven-day timeline for disclosing information regarding these limited attacks,” the advisory reads. “Microsoft is aware of this vulnerability and working on a fix.”

“The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015,” it continues. “Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible, and elevation of privilege is not possible.”

If the flaws are exploiting on Windows 10 devices, it will allow code execution but with limited capabilities within the AppContainer sandbox. And it could also potentially allow hackers to install programs, as well as change, view, or delete data and create new accounts with full user access rights.

As a result, those running Windows 10 should not implement the workarounds recommended by Microsoft. Further, those operating on older platforms are being urged to upgrade to the Windows 10 family of clients and servers.

To avoid exploit, Microsoft recommends organizations to disable the preview and details pane in Windows Explorer, which will prevent the automatic display of OTF fonts. This will prevent files from being viewed in Explorer, but doesn’t prevent a local, authenticated user from launching a customize program to exploit the vulnerability.

Further, organizations can disable the WebClient service, which can help protect the vulnerable systems from any attempt to exploit the flaw through blocking the most likely remote attack vector: the Web Distributed Authoring and Versioning (WebDAV) client service.

“After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted users computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet,” Microsoft warned.

“When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted,” the researchers continued. “In addition, any services that explicitly depend on the WebClient service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.”

Organizations can also rename the actual library, which could potentially prevent a successful exploit. Microsoft provides step-by-step instructions on how to accomplish this in its advisory. The tech giant also warned that enhanced security configuration will not mitigate the flaw.

Also notable, Microsoft just announced it is pausing all non-essential platform updates during the Coronavirus pandemic, which has drastically increased the burned of IT support requirements.

“We have been evaluating the public health situation, and we understand this is impacting our customers,” Microsoft said. “In response to these challenges, we are prioritizing our focus on security updates.”

“Starting in May 2020, we are pausing all optional non-security releases (C and D updates) for all supported versions of Windows client and server products (Windows 10, version 1909 down through Windows Server 2008 SP2),” they added. “There is no change to the monthly security updates… These will continue as planned to ensure business continuity and to keep our customers protected and productive.”

Next Steps

Dig Deeper on Cybersecurity strategies