
Windows code-execution zeroday is under active exploit, Microsoft warns - vo2maxer
https://arstechnica.com/information-technology/2020/03/attackers-exploit-windows-zeroday-that-can-execute-malicious-code/
======
robocat
Some additional points from [https://www.itnews.com.au/news/new-remote-code-
execution-win...](https://www.itnews.com.au/news/new-remote-code-execution-
windows-zero-days-actively-exploited-539730)

* Attackers can exploit the vulnerability by embedding the Type 1 fonts into documents and convincing users to open them

* The vulnerabilities lies in the Windows Adobe Type Manager Library ATMFD.DLL

* disabling the Windows WebClient service blocks what Microsoft says is the most likely remote attack vector, through the Web Distributed Authoring and Versioning (WebDAV) client service.

* local, authenticated users can run malicous programs that can exploit the vulnerability (I presume this is a privilege escalation).

~~~
afrcnc
or you can link to the actual MSFT advisory instead of all these articles
rewording the same thing: [https://portal.msrc.microsoft.com/en-US/security-
guidance/ad...](https://portal.msrc.microsoft.com/en-US/security-
guidance/advisory/ADV200006)

------
mrpippy
ATMFD strikes again, and undoubtedly not for the last time.

More info on the history of ATMFD (and some previous vulnerabilities):
[https://googleprojectzero.blogspot.com/2015/07/one-font-
vuln...](https://googleprojectzero.blogspot.com/2015/07/one-font-
vulnerability-to-rule-them-all.html)

~~~
r00fus
Is there no way to simply remove this DLL or is it too widely used in core
Windows?

~~~
blattimwind
This is part of the huge and unending clusterfuck of vulnerabilities that
people find in the Windows graphics stack, which was wisely moved to kernel
space early on in NT's life, which makes all these vulnerabilities much more
critical than they would be otherwise.

~~~
pixel16
Graphics hasn't been kernel mode since the Vista days FYI. It's now in
userspace.

~~~
jdsully
It was moved out in Vista with great fanfare. A side effect was GDI was no
longer hardware accelerated. With windows 7 and later hardware acceleration
was added back necessitating parts of it return to the kernel. For obvious
reasons this wasn't as widely publicized.

This makes exploits like this possible:
[https://sensepost.com/blog/2017/abusing-gdi-objects-for-
ring...](https://sensepost.com/blog/2017/abusing-gdi-objects-for-
ring0-primitives-revolution/)

~~~
saagarjha
I seem to recall having a discussion with you a while back where Windows would
just leave kernel pointers out in userspace, which seemed to do with GDI as
well.

~~~
jdsully
Yes, I think we debated the whole concept of GDI being in the kernel as well.

The Vista experience shows you it was and still is necessary for perf.

------
blinkingled
> Elsewhere the advisory said: “For systems running supported versions of
> Windows 10 a successful attack could only result in code execution within an
> AppContainer sandbox context with limited privileges and capabilities.”

[https://portal.msrc.microsoft.com/en-us/security-
guidance/ad...](https://portal.msrc.microsoft.com/en-us/security-
guidance/advisory/adv200006#ID0EMGAC) :

Windows 10 1709+ All fonts are processed in fontdrvhost.exe in user mode
appcontainer. ATMFD.DLL status: Not present

------
peter_d_sherman
I've always wondered why fonts are rendered programmatically...

Usually, font renderers are Turing complete in some way, and usually this
opens up security concerns, and rightfully so...

One of the primary reasons why fonts are rendered programmatically is because
there's a theoretically infinite set of sizes/styles that might be required...

Well... why not make fonts with glyphs that are say, 5000 x 5000 pixels... and
then instead of rendering for a particular size, line by line, stroke by
stroke, curve by curve, why not instead use an interpolation algorithm to
shrink that 5000 x 5000 pixel glyph to the exact size you want?

If a font provider program were made to operate that way, then all that would
be needed to audit the program for security - would be to audit the
shrinking/interpolation algorithm -- which could be as simple as possible
(it's just a function which shrinks a bitmap of size A to another bitmap of
size B... not a Turing machine which ingests other programs...)

Yes, fonts would consume much more memory (I suppose they could be
compressed), but doing things that way might make font-providing programs more
secure. And yes, you'd need to provide extra glyphs for italic, bold, bold
italic, etc. (much more memory), but you'd be making a trade-off for a simple,
security auditable font-provider... (we assume it's open-source...)

~~~
peter_d_sherman
A bunch of interesting comments, to be sure.

All I know is, the fonts (in ROM) in the original IBM-PC, or the Apple ][, or
the C-64, or the Atari 800, or any other of the 64K computers of the 1980's --
_never had a security issue with their (ROM bitmap) fonts_.

That, and:

 _I challenge all of the naysayers to come up with a better solution than the
one I have proposed_...

Not all font-renderer/language experts, here, are we?

Neither am I.

That's the whole point.

A graphical shrink routine I can easily audit for security holes.

A font description language (an entire _language_ mind you!) with lots of
nuances -- how is any normal human being (much less rockstar programmer)
supposed to audit one of those, with all of its possibilities, for security
holes, in a single human lifetime?

We've seen some _very subtle_ manipulation of these (evinced by this article),
whether intentional or not...

A simple graphical shrink routine -- is orders of magnitudes more transparent
and auditable than font description languages, or their interpreters...

You want a better solution?

Come up with one and tell me what it is!

I'm listening...

~~~
peter_d_sherman
Actually, I'll come up with a better option... don't render any fonts
locally... instead, get them when/as you need them as precisely sized bitmaps,
from a font server, somewhere else on the Internet...

Now the security for the font server becomes the problem of the server its
running on, not your local PC... and while the font server runs the risk of
compromise, you, by only using pre-rendered bitmaps, should ideally not...

Of course, the drawback to this approach is, what if you want to work offline
and have not downloaded the necessary fonts?

~~~
core-questions
> Actually, I'll come up with a better option... don't render any fonts
> locally... instead, get them when/as you need them as precisely sized
> bitmaps, from a font server, somewhere else on the Internet...

This sounds like:

\- a latency nightmare \- a performance nightmare \- a privacy nightmare

> Of course, the drawback to this approach is, what if you want to work
> offline and have not downloaded the necessary fonts?

I'm calling Poe's Law on you, friend

~~~
peter_d_sherman
A latency and performance nightmare... yes, quite possibly.

A privacy nightmare? I don't see how (unless you had to register on the font-
serving machine and it tracked fonts downloaded -- but is that really privacy
invading?)

Yes, there would be trade-offs (didn't I say that a couple of times?), but
such is the price potentially paid for font renderer security...

That is -- get rid of the font renderer software component...

Hey, one other idea, while I'm at it... run the font renderer in a virtual
machine... that could possibly work too... although given that virtual
machines have the same issues with complexity and security bugs, I'm sort of
50/50 about that...

Another idea: You could have a completely sandboxed language VM -- (e.g.,
JVM), and if that language VM is provably secure -- run the font renderer code
on it...

But again, we've seen JVM security bugs so...

I'm going to have to go with either "shrink a big bitmap" or "put the font
renderer on an entirely different server and serve exact-sized bitmaps"
ideas...

Or... use a 64K computer from the 1980's where the glyphs are in ROM... <g>

~~~
GauntletWizard
Yes, font downloading is privacy invading - You can make a "totally unique"
font like "timesoldroman-adfssdg" and then track everyone who's downloaded it,
for each webpage you want to track. It's just like any other tracking cookie,
except a font.

~~~
peter_d_sherman
Didn't think about that, but yes, that makes sense...

------
unnouinceput
2 points:

1 - article has wrong info. Under Windows 10 the name is ATMLIB.DLL. ATMFD.DLL
is the name for older version of Windows

2 - rename it. Here is the script to be used under an elevated command prompt
(change name accordingly if Win10):

cd "%windir%\system32"

takeown.exe /f atmfd.dll

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F)

rename atmfd.dll x-atmfd.dll

cd "%windir%\syswow64"

takeown.exe /f atmfd.dll

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F)

rename atmfd.dll x-atmfd.dll

~~~
asimops
Please keep in mind that you need to localize 'Administrators' to make this
work on non english systems. When deploying this, it would be better to
replace the name with the groups sid. I am on mobile right now but some fellow
hacker can surely provide them.

~~~
moepstar
Looking up your local Administrator name:

wmic path win32_group where (LocalAccount=true AND SID="S-1-5-32-544") get
Name

edit: that's just the name of the local Administrators group, here's how to
get the Admin-accountname:

wmic useraccount where (domain='localhostname' and sid like 'S-1-5-21-%%-500')
get sid /value

wmic useraccount where (domain='localhostname' and
sid='sidfromfirstcommandhere') get name /value

~~~
Randor
Hmmmm,

That will just return the name of the built-in Administrators account. If you
wanted to find all user accounts in the administrators group you could do:

powershell -c
"$([ADSI]'WinNT://YOUR_MACHINE_NAME/Administrators,group').psbase.Invoke('Members')
| foreach { $_.GetType().InvokeMember('ADspath', 'GetProperty', $null, $_,
$null)}"

------
jliptzin
When has someone ever thought there wasn’t a Windows zeroday under active
exploit?

~~~
nabakin
No one. They are adding emphasis.

------
voldacar
Why should a kernel even have the slightest idea what a font is? this is
absurd

~~~
sb057
[https://stackoverflow.com/questions/28532190/why-does-
window...](https://stackoverflow.com/questions/28532190/why-does-windows-
handle-scrollbars-in-kernel)

------
ChrisSD
> For systems running supported versions of Windows 10 a successful attack
> could only result in code execution within an AppContainer sandbox context
> with limited privileges and capabilities.

Which is still not good but not as bad as it could be.

~~~
saagarjha
Isn't this code running in Windows Explorer? That sounds like it could
potentially be pretty bad.

~~~
WorldMaker
Explorer doesn't render arbitrary user selected fonts and Segoe UI is not a
PostScript font, so I don't think Explorer itself uses this component at all?
(A lot of Windows should be using DirectWrite now? I don't think DirectWrite
uses this component either?)

Also, the way this is written is sounds like system isolates this DLL into its
own AppContainer separate from specific apps that use/rely on it (and I guess
remote to it)?

~~~
WorldMaker
I found answers to some of my questions on my own:

\- The AppContainers thing sounds like it directly refers to the Panes in
Explorer referenced, and it sounds like it is Explorer creating the sandboxes,
so they wouldn't bubble out of the Pane, so it probably is correct that
versions of Windows 10 doing that don't have a lot to worry about that as an
exploit vector. That probably doesn't apply to other possible vectors such as
evil PDFs/Word Documents, though those generally have warnings for PostScript
fonts at this point. (I glossed over the Panes as the concern for the idea it
might be running in the Explorer process. Their an "extension point", so
Explorer moving them into sandboxes sound like exactly what it should have
done, and not surprising is what it is doing.)

\- DirectWrite is considered to have parts forked, but entirely independent,
from ATMFD. Some CVEs have been caught that also impacted (lightly)
DirectWrite, but this doesn't sound like one.

~~~
kevingadd
AppContainers have nothing to do with panes, see here:
[https://docs.microsoft.com/en-
us/windows/win32/secauthz/appc...](https://docs.microsoft.com/en-
us/windows/win32/secauthz/appcontainer-isolation)

It's a sandboxing method, and atmfd was moved into a sandbox to reduce the
risk of people exploiting bugs in it. At this point it is clear that
sandboxing it was worth the effort.

~~~
WorldMaker
Fair, that link points out the Kernel hosts some sandboxes directly. I had
assumed they mostly had to be opt-in at the application level (opt-out in the
case of the UWP platform), given the name, and those Panes are open third-
party extension points and it does seem like sandboxes should apply to
anything running in them as well, so it seems a fair assumption to believe
that is where they were applied.

------
dmix
> The second workaround—disabling the WebClient service—blocks the vector
> attackers would most likely use to wage remote exploits. Even with this
> measure in place, it’s still possible for remote attackers to run programs
> located on the targeted user’s computer or local network. Still, the
> workaround will cause users to be prompted for confirmation before opening
> arbitrary programs from the Internet.

... why doesn't WebClient also prompt users before opening programs via things
from the internet then?

It basically makes anything that calls an internet service in authenticated
apps, like Windows Explorer's image preview pane, a vector for loading
arbitrary programs without warning.

Am I missing something here? Some way this would be really annoying or
pointless?

I know Android never bit the bullet with making _any_ internet access require
a privacy confirmation, which I'm guessing might be overwhelming to the
average user. But I still think it should be an option, like an opt-in Little
Snitch for network access that includes embedded webkits.

------
jacquesm
The larger your kernel the bigger the chance that it will get hacked. This
stuff should have never been in the kernel in the first place.

------
jjtheblunt
“For systems running supported versions of Windows 10 a successful attack
could only result in code execution within an AppContainer sandbox context
with limited privileges and capabilities.”

~~~
mike_d
Anyone running around actively exploiting a zero-day Windows font parsing
exploit likely also has a sandbox escape exploit too.

------
glofish
No patch available but one of the recommended mitigations is to:

    
    
      Rename ATMFD.DLL
    

would it be possible to have a patch that renames this file for me, if that is
indeed a desirable and workable solution.

~~~
rkagerer
In the meantime:

    
    
        Right-click C:\Windows\System32\atmfd.dll
        Properties | Security | Advanced | Owner, take ownership.
        Close dialogs, go back in and give yourself Full Control.
    

Now you can rename the file.

~~~
bilegeek
Would renaming cause issues with Office 2016, perchance?

~~~
rkagerer
Haven't encountered any definitive ones yet.

I renamed it, then used Outlook 2016 successfully for days (mostly Outlook,
Word and some Excel). After a reboot, I did get an error code 0x426-0x0 trying
to start office apps, but I'm pretty sure that was just due to disabling the
Click-To-Run service a long time ago and (possibly) having gotten new updates
pushed to me during the reboot.

I did an SFC /SCANNOW which restored the original atmfd.dll, and I immediately
deleted it.

If you bump into any OpenType fonts it might be a different story.

------
wolfi1
MS should consider including the freetype library instead of Adobe's type
manager

~~~
Tempest1981
Someone posted this comment in the arstechnica article:

 _To be clear and despite its name, this is not Adobe code. Microsoft was
given the source code for ATM Light for inclusion in Windows 2000 /XP. After
that, Microsoft took 100% responsibility for maintaining the code._

 _Microsoft has added additional code and removed code from that DLL (they
shove all their Type 1 handling and Open Type font format handling into that
one DLL)_

------
miohtama
It says Adobe... So there is a component from Adobe in the core windows? Or
does the DLL come with a PDF reader installation?

~~~
calibas
It's needed for displaying Postscript Type 1 fonts. I believe Adobe owns the
licensing for everything but it's up to Microsoft to update the Windows 10
DLL.

~~~
tpmx
Then they (Microsoft) should deliver an update that disables this
functionality, within the the next three hours.

Then re-enable it when the fix is in.

~~~
tinus_hn
I demand to speak to Adobe’s manager!

------
greggman3
I really wish (hope) that Microsoft is working on a brand new OS with a VM
like thing for running legacy stuff (like Apple did with OS9 to OSX)

They really do need to start over from scratch, get rid of all the cruft,
design the APIs not to suck, design in security, permissions, and sandboxing
from the beginning. Make root kits and other spyware much harder. Get rid of
installation scripts (more like iOS/Android/Some Mac app) and a million other
things.

I don't hate windows but I hate that every app I install including every game
on steam or the oculus store or humble bundle can basically own my machine.

~~~
zvrba
> They really do need to start over from scratch, get rid of all the cruft,
> design the APIs not to suck, design in security, permissions, and sandboxing
> from the beginning.

Security model is still better than what POSIX provides. As for sandboxing:
"For systems running supported versions of Windows 10 a successful attack
could only result in code execution within an AppContainer sandbox context
with limited privileges and capabilities." From
[https://portal.msrc.microsoft.com/en-us/security-
guidance/ad...](https://portal.msrc.microsoft.com/en-us/security-
guidance/advisory/adv200006#ID0EMGAC)

------
nyanpasu64
Could web fonts (CSS font-face) allow exploitation by merely visiting a
browser page?

------
yread
It is a good time for exploit (even the ones that can be patched) as people
work from home and can't access enterprise WSUS servers to fetch updates

------
hackersword
Where is ATMFD.DLL ?

I am not seeing that in c:\windows\system32\ATMFD.DLL in multiple different
windows10 machines I've checked.

~~~
unnouinceput
this is a mistake in article. atmfd.dll is for older version of windows.
Windows 10 has it under name of ATMLIB.DLL.

Search for that one instead and rename it.

------
0x0
So does this mean that Windows 7 will forever be stuck with an easily(?)
exploitable font engine vulnerability?

~~~
lexicality
That's what end of life generally means. Look at what happened to XP...

~~~
vbezhenar
They fixed dangerous exploit in XP after EOL. I think that they'll fix this
exploit as well, unless it's not very dangerous.

------
ngneer
von Neumann saw that code is data. Now what? We like the power of computation
too much to give it up, and yet cannot avoid the pitfalls of complex
interpreters. Compartmentalize though we may, control is not easy to tame.

------
EmilioMartinez
What is a good way to keep up with active vulnerabilities and zero-days?

~~~
alyandon
Requires a Microsoft account but I subscribe to their email lists.

[https://www.microsoft.com/en-us/msrc/technical-security-
noti...](https://www.microsoft.com/en-us/msrc/technical-security-
notifications)

------
swebs
Again?

------
wintorez
Thanks Microsoft!!

------
pas
Win10 is supposed to be evergreen, aggressively auto-updating, etc. so how
come there are years old versions around!?

(Win10 1703+ is already not using this DLL, that came out years ago.)

~~~
lexicality
Because idiots do everything they possibly can to stop their os updating

~~~
BubRoss
When you have an OS that updates out from under you, takes 45 minutes to
shutdown or start up, shuts down without your control etc. it's no wonder
people want more control over their updates.

~~~
lexicality
Not to be callous, but if your computer takes 45 minutes to restart you need
to reinstall Windows because there's clearly something wrong with it.

~~~
BubRoss
It takes 45 minutes to shutdown or start up when updates are being installed
and at least on windows 7, you wouldn't even know it was going to happen.

~~~
lexicality
In my experience of running windows 10 on a 7 year old laptop, you get a
persistent status icon telling you updates are available. If you ignore that
for a week you start getting intrusive notifications saying "your computer
needs to restart, do it now?" and if you put that off for a few days you start
getting a popup with the options "restart now?" and "ask me in 10 minutes".

If you put that off for long enough, it will restart the next time you close
the lid.

I cannot imagine anyone going through all that and then going "wow I wasn't
expecting an update!"

On top of that, it generally takes 5-10 minutes tops to actually do the
update, more usually it's a standard restart that takes like 30s.

the only "45 minute" update I've had was one of the big service pack updates
and that was opt-in with an up front warning.

~~~
BubRoss
These are pretty common complaints, servers, signs and many people get updates
forced on them. Windows 10 was forced on many, many people. Just because you
don't care doesn't mean lots of people haven't been burned.

------
paulie_a
Is there a search and destroy program that can 100 percent remove anything
with even a hint of adobe code? Windows should banish adobe PDF from being
utilized in the is and actively treat it as a virus.

If it's zero day on Windows it is pretty much a guarantee that adobe or Oracle
was involved

------
SlowRobotAhead
> The security flaw exists in the Adobe...

Imagine my surprise. Geez maybe it’s not the best idea to allow Adobe to
entirely run the font game?

Source: worked at Adobe years ago

~~~
klingonopera
I imagine you're getting downvotes because of your _smug_ hyperbole, but in
essence, I wouldn't deny that that is a legit question (not the entire
fontgame, I guess, but a core part of it anyway).

It's also one of the reasons to reduce use of proprietary software to a
minimum. Especially, if it's a core component of the system. Flatline, it's an
increased security risk you can't verify.

On a serious note: Are there legit reasons to have it being a core component?

~~~
SlowRobotAhead
Yea... worked at Adobe. It’s not smug hyperbole. That company doesn’t have any
sort of culture of responsible coding.

Without question one of the worst companies to be put in charge of anything
important anywhere.

That’s all I’ll say about Adobe. Dark times, glad I moved on.

