On March 23, 2020, Microsoft released details about two separate remote code execution (RCE) vulnerabilities that threat actors were exploiting in the wild in limited, targeted attacks on Windows 7 systems.[1] For a bit of context, let’s do a quick rewind to the mid-1980s, and review how Adobe got involved with Microsoft and landed squarely in the font game.

Adobe began with PostScript, its flagship technology that converted documents into printable format (a.k.a., the basis for the Portable Document Format (PDF) file). PostScript became the computing industry’s standard for font libraries and word processing and was adopted by Macintosh to help the industry’s desktop publishing boom in 1985. Soon enough, Microsoft needed support for fonts and used Adobe’s OpenType to help with desktop publishing for its users.

Both vulnerabilities reside within the Adobe Type Font Manager and are related in how they handle multi-master font in the Adobe Type 1 PostScript format. They became major information security news as a “zero-click” exploit that allows malicious actors to easily gain code execution and access over a device they wish to target. To note, the vulnerabilities can also affect Windows 8.1 and Windows 10 operating systems as well as various Windows Server versions, including 2008, 2012, 2016 and 2019.

When Microsoft made its announcement, patches did not exist; it wasn’t until April 14, 2020, that the company addressed them in its monthly patching release, naming them CVE-2020-1020 and CVE-2020-0938. It is rare for Microsoft to acknowledge an “exploited in the wild” zero-day vulnerability through its own out-of-band advisory, especially since these were not the first vulnerabilities in the Adobe Type Font library. Both CVE-2019-1456 and CVE-2019-1419 are also the result of code execution.

These two current vulnerabilities are similar in that they allow for code execution within the Adobe Type Font preview pane (See Figure 1)—N.B., not the Microsoft Outlook preview pane. Threat actors can also exploit them, for example, through Web Distributed Authoring and Versioning (WebDAV), whereby users can work online on the same file, such as a Microsoft Word, Excel or PowerPoint document.

Figure 1: 0Patch Publishes Micropatch to Address Windows Font Parsing Vulnerability

At the time of the advisory on March 23, there were some mitigations (See Figure 1), including a micropatch from third-party vendor 0Patch, but Windows 7 and Windows 8.1 as well as some Windows Servers remained critically vulnerable.

Workaround Applicability

Disable the Preview Pane and Details Pane in Windows Explorer

Works on all systems, but won't mitigate the issue if you open a document with the vulnerable font class.

Disable the WebClient service
(disables WebDAV)

Works on all systems, but won't mitigate the issue if you open a document with the vulnerable font class.

DisableATMFD registry key using a managed deployment script

Only works on older systems (i.e., pre-Windows 10), but completely mitigates the issue; in rare cases, however, it can introduce usability issues.

DisableATMFD registry key manually

Only works on older systems (i.e., pre-Windows 10), but completely mitigates the issue; in rare cases, however, it can introduce usability issues.

Rename ATMFD.DLL

Only works on older systems (i.e., pre-Windows 10), but completely mitigates the issue; in rare cases, however, it can introduce usability issues.

Figure 2: Security Advisory: ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

Because threat actors can exploit these vulnerabilities via the preview pane, the user does not have to view the specific document or file itself; she simply needs to render the file within the preview as shown in Figure 1. The vulnerabilities allow for an easy, exploitable attack vector through which threat actors and groups can access a targeted system and subsequently, add to their arsenal of techniques, tactics and procedures (TTPs).

As mentioned above, these two vulnerabilities were not the first of their kind to appear in Microsoft Windows. In 2019, it was Flexera and Zero Day Initiative that discovered the separate but similar vulnerabilities, CVE-2019-1456 and CVE-2019-1419. To date, no details or proof of concepts (PoCs) have been published for these specific vulnerabilities, but a PoC from a 2016 vulnerability has been made public and resides in the same library as all these vulnerabilities. While not a PoC for CVE-2020-1020 or CVE-2020-0938, it’s the same code execution result. The error occurs within the ATMFD, noted as a “legacy” library and “rarely” used by the operating system nowadays. The example shows how an Open Type Format (OTF) file is executed within the ATMFD.DLL file of a Windows 7 32-bit operating system (the operating system associated with the targeted attacks for CVE-2020-1020 and CVE-2020-0938):

Figure 3: 'ATMFD.dll' NamedEscape 0x250C Pool Corruption (MS16-074)

The methods and function calls may not be the same for the newest CVEs, but represent how an attacker has gotten code execution via this specific font library on the Windows 7 operating system that was targeted in the observed attack on March 23, 2020.

In the past, the Microsoft Adobe Font Manager library has been a target for vulnerability researchers with CVE-2016-7256, CVE-2015-2387, CVE-2016-3220, CVE-2017-0192, CVE-2018-0754, CVE-2018-0788, CVE-2015-2426, CVE-2015-2461, CVE-2018-0754, CVE-2019-1412, and CVE-2017- 0192 targeting the same library. The library is based on Adobe’s legacy code, which ported this specific library to Microsoft Windows in the late 1990s and later evolved within the Microsoft 2000 and XP operating systems when Adobe licensed the core code to Microsoft for its font rendering. As it is engrained in Microsoft legacy and the foundation for word processing in its operating system, it will take time for Microsoft to create its own font-rendering subsystem to help mitigate against these specific types of vulnerabilities. In the meanwhile, if attackers keep this logic in their attack structure, users should assume they will target more legacy libraries within the Microsoft operating system.

To learn more about these vulnerabilities and our Vulnerability Contributor Program (VCP) — the oldest third-party, bug-bounty program for advanced notification on like vulnerabilities — please visit the iDefense services overview page.

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks

___

[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

Timothy Cantilena

Senior Security Analyst

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog