Two Critical Vulnerabilities in Windows 7-10, No Patch Yet

Microsoft today revealed that in Windows 7, 8 and 10 two critical vulnerabilities exist in the font subsystem of the OS. Both of them are already exploited in "limited, targeted attacks". The company is working on a fix, and suggests a workaround.

Here is the most important info about them:

  • Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.
  • The vulnerable library ATMLIB.DLL works in kernel space.
  • Windows 10 is more protected by its AppContainer/Sandbox technology.

There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. To mitigate the flaw, Microsoft offers the following solutions. Note that none of them prevent an authenticated user from running a malformed document that can be used to exploit the vulnerability.

Disable WebClient Service

  1. Press Win+R and type services.msc into the Run box.
  2. Hit Enter and find the WebClient service in the service list.
  3. Double click on it to open its Properties dialog.
  4. Change the Startup type to Disabled. If the service is running, click Stop.

Microsoft believes that this will help to exclude the remote attack vector.

There is also a workaround for the local system. It requires changing a few options for File Explorer.

Change File Explorer Options

  1. Close all running File Explorer instances.
  2. Open a new File Explorer window (Win+E).
  3. Disable the Preview pane if you have it enabled.Windows 10 Enable Preview Pane
  4. Disable the Details pane if you have it enabled.Windows 10 Preview Pane Default
  5. Turn on "Always show icons, never thumbnails" in Folder Options.Disable Thumbnail Previews In File Explorer In Windows 10

Finally, you can disable the problematic font parser in the Registry. However, this may break certain apps that rely on that font library. Try and see if you can use Windows with it disabled until it is patched.

Disable the parser in the Registry

  1. Open the Registry Editor app.
  2. Go to the following Registry key.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    See how to go to a Registry key with one click.
  3. On the right, modify or create a new 32-Bit DWORD value DisableATMFD.
    Note: Even if you are running 64-bit Windows you must still create a 32-bit DWORD value.
  4. Set its value to 1.
  5. To make the changes done by the Registry tweak take effect, you need to restart Windows 10.

Microsoft will soon issue a fix for Windows 7, Windows 8/8.1, and Windows 10. Windows 7 users have to obtain the paid Extended Security Updates (ESU) subscription to receive it.

4 thoughts on “Two Critical Vulnerabilities in Windows 7-10, No Patch Yet

  1. Dave

    So, what does “WebClient” do anyways?

    After a little searching I found” it enables me to work with web based programs and files”.

    So I need it to use google docs and google calender yes?

    Reply
    1. Sergey Tkachenko Post author

      no. they are in the browser.

      Reply
  2. Andreas

    Hey guys,

    you say that Microsoft will soon issue a fix for Windows 7 WITHOUT paid Extended Security Updates (ESU) subscription.

    But Microsoft itself states that there will NOT be a fix for Windows 7 without paid ESU – see FAQ section https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

    Can you clarify your statement?

    Thank you very much in advance!
    Andreas

    Reply
    1. Sergey Tkachenko Post author

      Hello Andreas,
      Thanks for your comment.
      It looks like I misread the advisory.
      You are right, ESU is required.
      I’ve updated the post.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *