How to Mitigate the Windows Font Parsing Zero-Day Bug via GPO

Active Directory (AD) admins can mitigate the recently disclosed and actively exploited remote code execution (RCE) zero-day found in the Windows Adobe Type Manager Library in large AD environments using group policies.

Microsoft warned on March 23 of limited ongoing targeted attacks against Windows 7 devices attempting to exploit two unpatched vulnerabilities in the Adobe Type Manager Library.

The security flaws impact devices running both desktop and server Windows releases, including Windows 10, Windows 8.1, Windows 7, and multiple versions of Windows Server.

To exploit the security issues, attackers can trick victims into opening maliciously crafted documents or viewing them via the Windows Preview pane — the Outlook Preview Pane is NOT an attack vector.

Microsoft already shared a number of workarounds designed to block or reduce the risks behind attacks abusing these vulnerabilities, including disabling the Preview and Details panes in Windows Explorer, disabling the WebClient service, and renaming the vulnerable library (ATMFD.DLL).

However, Microsoft’s workarounds aren’t easy to implement to mitigate attacks in an enterprise AD environment.

To mass mitigate the issue on corporate devices running versions of Windows vulnerable to abuse, you can do it in one go with the help of group policies as Microsoft MVP Sylvain Cortes explained in a blog post.

Using GPOs for corporate mitigation

First of all, open the GPMC console and create a new GPO by right-clicking on the ‘Group Policy Objects’ folder.

Afterward, go to the User Configuration>Policies>Administrative Templates>Windows Components>File Explorer and enable these two GPO options to disable previewing locally and over the network:

• Turn off display of thumbnails and only display icons

• Turn off the display of thumbnails and only display icons on network folders

Disabling preview
Image: Sylvain Cortes

“Close you GPO and link this GPO with all the automation office user accounts in your organization (in a nutshell, all the user accounts which can be used on your workstation),” Sylvain added.

Next, create a new GPO using GPMC from a workstation and disable the WebClient service from the Computer Configuration>Policies>Windows Settings>Security Settings>System Services section.

This GPO has to be linked with all other workstation computer accounts in your organization to have WebClient disabled everywhere.

WebClient GPO
Image: Sylvain Cortes

Both GPOs should be reverted once Microsoft releases a patch for the actively exploited RCE vulnerabilities affecting the font parsing component in all supported versions of Windows.

Microsoft said that it’s working on a fix for this zero-day flaw and hinted at a future release during this month’s Patch Tuesday (on April 14).

Last week, Acros Security, the company behind the 0Patch platform, released microcode patches that mitigate the risk of exploitation on devices running Windows 7 64-bit and Windows Server 2008 R2, which are not enrolled in Microsoft’s Extended Security Updates (ESU) program.

H/T Günter Born


Next Post

The United States leads in coronavirus cases, but not pandemic response | Science

Thu Apr 2 , 2020
Workers build an emergency field hospital in New York City’s Central Park for COVID-19 patients. MARY ALTAFFER/AP PHOTO By Science News StaffApr. 1, 2020 , 12:00 PM Science’s COVID-19 reporting is supported by the Pulitzer Center. America is first, and not in a good way. Last week, the United States […]