Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution [FIX]

Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution

New critical vulnerability has been discovered in all Windows versions dubbed CVE MS15-078. A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.

When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.

There is no official patch, but we can provide a workaround for this issue:

Rename ATMFD.DLL
For 32-bit systems:

  1. Enter the following commands at an administrative command prompt:
    cd "%windir%\system32"
    takeown.exe /f atmfd.dll
    icacls.exe atmfd.dll /save atmfd.dll.acl
    icacls.exe atmfd.dll /grant Administrators:(F) 
    rename atmfd.dll x-atmfd.dll
    
  2. Restart the system.

For 64-bit systems:

  1. Enter the following commands at an administrative command prompt:
    cd "%windir%\system32"
    takeown.exe /f atmfd.dll
    icacls.exe atmfd.dll /save atmfd.dll.acl
    icacls.exe atmfd.dll /grant Administrators:(F) 
    rename atmfd.dll x-atmfd.dll
    cd "%windir%\syswow64"
    takeown.exe /f atmfd.dll
    icacls.exe atmfd.dll /save atmfd.dll.acl
    icacls.exe atmfd.dll /grant Administrators:(F) 
    rename atmfd.dll x-atmfd.dll
    
  2. Restart the system.

For Windows 8 and later disable ATMFD:

Method 1 (manually edit the system registry):

  1. Run regedit.exe as Administrator.
  2. In Registry Editor, navigate to the following sub key (or create it) and set its DWORD value to 1:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD, DWORD = 1
  3. Close Registry Editor and restart the system.

 

Method 2 (use a managed deployment script):

  1. Create a text file named ATMFD-disable.reg that contains the following text:
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DisableATMFD"=dword:00000001
    
  2. Run regedit.exe.
  3. In Registry Editor, click the File menu and then click Import.
  4. Navigate to and select the ATMFD-disable.reg file that you created in the first step.
    (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog’s file extension parameters to All Files).
  5. Click Open and then click OK to close Registry Editor.

 

Impact of workaround. Applications that rely on embedded font technology will not display properly. Disabling ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.