0x00 漏洞背景
微软今天发布了一个新的安全公告,警告数十亿Windows用户两个新的关键,未修复的零日漏洞,这些漏洞可能使黑客远程控制目标计算机。
根据Microsoft的说法,这两个未修补的缺陷都已在有限的针对性攻击中使用,并且会影响Windows操作系统的所有受支持版本,包括Windows 10、8.1和Server 2008、2012、2016和2019版本,以及针对Windows 7的版本。Microsoft在2020年1月14日终止了对它的支持。
这两个漏洞都位于Windows Adobe Type Manager库中,一种字体解析软件,它不仅可以在使用第三方软件打开时解析内容,还可以被Windows资源管理器用来在“预览窗格”或“详细信息窗格”中显示文件的内容,而无需用户打开它。
当Microsoft Type Manager库不适当地“处理特制的多主字体-Adobe Type 1 PostScript格式”时,Microsoft Windows中存在这些缺陷,从而允许远程攻击者通过说服用户打开特定的系统来在目标系统上执行任意恶意代码。制作的文档或在Windows预览窗格中查看。
微软表示:“对于运行受支持版本的Windows 10的系统,成功的攻击只会导致在AppContainer沙箱上下文中以有限的特权和功能执行代码。”
目前,虽然尚不清楚通过说服用户访问包含特制恶意OTF字体的网页是否也可以通过Web浏览器远程触发缺陷,但是攻击者可以通过多种其他方式利用此漏洞,例如通过Web分布式创作和版本控制(WebDAV)客户端服务。
0x01 受影响版本
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1803 (Server Core Installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
0x02 缓解建议
微软在通告中提供了多种选择,用户可以自行选择(具体见参考链接),此处主要建议重命名ATMFD.DLL文件的方式。
32位操作系统缓解方式:
- 在管理员权限的命令行里输入
cd "%windir%\system32"takeown.exe /f atmfd.dllicacls.exe atmfd.dll /save atmfd.dll.aclicacls.exe atmfd.dll /grant Administrators:(F)rename atmfd.dll x-atmfd.dll- 重启系统
64位操作系统缓解方式:
- 在管理员权限的命令行里输入
cd "%windir%\system32" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll cd "%windir%\syswow64" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll- 重启系统
0x03 时间线
2020-03-23 微软发布紧急漏洞通告
2020-03-24 发布漏洞通告
0x04 参考链接
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200006
- https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html
