May 30, 2023


Passion For Business

Critical New Windows 0Days Being Actively Exploited

FavoriteLoadingIncorporate to favorites

Vulnerabilities are in atmfd.dll: a kernel module provided by Windows

All at this time supported versions of Microsoft Windows (server and desktop) are uncovered to two new remote code execution (RCE) vulnerabilities which are staying actively exploited in the wild in “limited targeted attacks” — and there’s no patch still.

The new Windows 0days are in atmfd.dll: a kernel module that is provided by Windows and which presents guidance for OpenType fonts. (Though recognized, in complete, as “Adobe Form Supervisor Font Driver”, it is Microsoft’s code, not Adobe’s).

Protection specialists at France’s Orange Cyberdefense stated if atmfd.dll was not current on a machine (it is not, evidently, on all) then mitigation was unneeded. Computer system Enterprise Assessment could not quickly validate this. Mitigations are urgent. 

Microsoft warned these days of the flaws (foundation CVSS: 10) that “there are many strategies an attacker could exploit the vulnerability, this sort of as convincing a person to open a specifically crafted doc or viewing it in the Windows Preview pane”.

It has posted a sweeping vary of remediation alternatives but instructed that a patch may not be prepared till April 14’s “Patch Tuesday”. No credit for the disclosure was given it was not quickly very clear how the RCE’s were being recognized.

It is not the initial time that atmfd.dll has been the cause of protection woes: two early January 2018 vulnerabilities disclosed to Microsoft by Google’s Job Zero (CVE-2018-0754 CVE-2018-0788) also entailed protection flaws in the module: these two CVES (which involved how it handles objects in memory) required area obtain.

New Windows Vulnerability 

Microsoft stated (ADV200006): “[The two RCEs exist] when the Windows Adobe Form Supervisor Library improperly handles a specifically-crafted multi-learn font – Adobe Form 1 PostScript format…  For devices jogging supported versions of Windows 10 a profitable assault could only outcome in code execution inside an AppContainer sandbox context with confined privileges and abilities.”

MSFT stated: “Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. Though this prevents malicious data files from staying seen in Windows Explorer, it does not protect against a area, authenticated person from jogging a specifically crafted program to exploit this vulnerability.

Steerage on disabling these panes is out there listed here.

Microsoft is mindful of this vulnerability and working on a take care of, the corporation stated: “Updates that deal with protection vulnerabilities in Microsoft software package are usually released on Update Tuesday, the 2nd Tuesday of each month. This predictable agenda enables for spouse excellent assurance and IT organizing, which helps keep the Windows ecosystem as a trusted, safe selection for our consumers.”

See also: “A Sweetheart Offer, Done in Secret”: Intel and Micron Sued Above 3D XPoint