back to article It's 2020 and hackers are still hijacking Windows PCs by exploiting font parser security holes. No patch, either

Hackers are commandeering victims' Windows PCs by exploiting at least one remote-code-execution flaw in the Adobe Type Manager Library included with the Microsoft operating system. No patches are available right now. Redmond today warned of two flaws, not yet assigned CVE numbers, present in the font parser – and at least one …

  1. Shadow Systems Silver badge
    Facepalm

    Sigh. Not again...

    I realize I'm in the minority, not everyone will find my solution feaseable, but the fact that I'm totally blind & my screen reader reads *everything* in plain text means I should be able to force Windows never to display anything except in very specific fonts. I don't need all the fancy serif's & fiddly bits, just render in plain text so my reader can do it's damned job. Yet I have(?) to leave the font handling service running lest Windows has a hissy fit. Why? Just flush the font folder of everything except the fonts I know work, won't render my system FUBAR, and ignore every font "required" by whatever program I'm running at the time.

    You allow it in the browser, why not for the entire OS as a whole? This wouldn't just help me & folks in a similar boat, it would benefit *everyone* whom felt like hardening their machine against such attack vectors.

    Of course, that's the reason why MS can't allow it -- we might start getting uppity & demanding an OS that was fit for fekkin' purpose.

    *Smashes head on the desk in frustration until I pass out*

    1. -tim
      Facepalm

      Re: Sigh. Not again...

      The browsers love to download bad fonts because someone from the colored pencil office thinks it is cool. Then you have the extremes like Atlassian who have their own bad font and force it on everyone who uses their platform with no option to use better fonts. The person who made that decision needs to be hit with a copy of the METAFONTbook.

      1. Michael Wojcik Silver badge

        Re: Sigh. Not again...

        Yes. @font-face is perhaps the stupidest idea in CSS, and CSS is not short on stupid ideas.

        I routinely disable font downloading in my browsers, and I've never had reason to miss it. (And it's not that I don't appreciate a good typeface; I studied typography in one of my degree programs.) But few users will know how, or why, to do that.

  2. ST Silver badge
    Devil

    Aaaaaah, yes. Another security hole in Windows.

    Who needs ActiveX when you can use the font parser?

    Note: Microsoft says it's C++'s fault.

    1. bombastic bob Silver badge
      Trollface

      Re: Aaaaaah, yes. Another security hole in Windows.

      "Microsoft says it's C++'s fault."

      Blame the COMPILER and LIBRARY author!!! No, wait...

      So what fix will we do in "older windows"? My guess: don't view documents with MS office products... ESPECIALLY not documents with embedded fonts!!!

      (I'll want to know what effect it has with Libre Office)

    2. Paul Hovnanian Silver badge

      Re: Aaaaaah, yes. Another security hole in Windows.

      "Note: Microsoft says it's C++'s fault."

      It's a poor workman that blames his tools.

    3. Michael Wojcik Silver badge

      Re: Aaaaaah, yes. Another security hole in Windows.

      C++ blames machine code. Machine code mutters something under its breath about the CPU. The CPU glares in the direction of the nearest electron.

      1. nagyeger

        Re: Aaaaaah, yes. Another security hole in Windows.

        The electron, having been looked at, is no susceptible to further interrogation because someone went and observed the thing rather than locking it down and putting it in quarantine, and now there's a lot of uncertainty about were it is or how fast it's going.

  3. kmedcalf

    FIle Not Found

    Windows 10 1909 (at least mine) has no file anywhere called ATMFD.DLL

    All other mitigations are already in effect and have been since this vulnerability appeared about half-a-decade ago.

    1. Notas Badoff

      Re: FIle Not Found

      From linked doc:

      "Rename ATMFD.DLL

      Please note: ATMFD.DLL is not present in Windows 10 installalations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the mitigation section for more information."

      My install says version 1809. Ah, separately it says:

      "Windows 10 1809/Server 2019 All fonts are processed in fontdrvhost.exe in user mode appcontainer. ATMFD.DLL status:Not present"

      Of course, separately it says:

      "Windows 10 Version 1809 for 32-bit Systems Remote Code Execution Critical"

      Sounds as reassuring as a Trump press conference: guess which one statement of many actually has some link with 'truth'.

      1. kmedcalf

        Re: FIle Not Found

        I just added fontdrvhost.exe to my process scanner so that kills any process with that name. Seems to work fine and after killing fontdrvhost.exe there seems to be no effect. Haven't yet found what MS Crap starts it, but it kills quite effectively.

  4. redpawn

    Don't worry

    Ransomware writers are taking the month off in light of COVID-19 and strict adherence to their ethical code and all...

    1. Richard 12 Silver badge
      Unhappy

      Re: Don't worry

      Actually, they probably are.

      It's probably more lucrative to switch to old school fraud selling "surgical" masks and fake cures at the moment.

      1. Mage Silver badge
        Devil

        Re: Don't worry

        Someone already arrested in the UK selling fake testing kits. Even more lucrative than masks and more believable than a "cure".

      2. J. Cook Silver badge

        Re: Don't worry

        I've noticed an uptick in spamvertised mask sales, so you are not too far off there.

  5. Anonymous Coward
    Anonymous Coward

    font owning a PC

    Ain't life great in MS land ?

    A font, a bloody font, seriously ? Does anything run without admin privileges in Windows, nowadays ?

    1. Michael Wojcik Silver badge

      Re: font owning a PC

      Actually, in the most recent releases of Win10, font parsing apparently runs in usermode with the privileges of the invoking user.

      But note this is not the first RCE in Windows font processing. It's not even the first one in the Adobe Type Manager library. All of that crap needs to be taken out behind the shed, and replaced with something running in a safer environment. Font rendering has some excuse for wanting native-code processing for performance; font parsing does not. Routinely parsing thousands of font descriptions a second would be a very specialized use case.

  6. Pascal Monett Silver badge

    "a miscreant can include a malformed multi-master font in a document"

    That means that the miscreant is sending me a mail with a document attached and expecting me to open it because COVID-19 or my bank or whatever.

    I have a very fine bullshit detector and I can assure you that your mail will be filed in SPAM faster than you can blink and your document will not be opened or previewed in any way.

    That settles that problem.

    Now, I've checked my Win 7 installation and it has, in perfect Microsoft form, no less than 12 copies on disk. Two that are in Windows\System32 and \SysWOW64, and ten copies in \winsxs\ followed by a slew of characters that would take way too much time for me to type here and nobody cares about reading that anyway.

    Then there are two more copies in \winsxs\Backup, in which the file names start by "amd64_microsoft_windows_gdi_" and another slew of characters etc etc.

    Which ones can I get rid of, anybody know ?

    1. fnusnu

      Re: "a miscreant can include a malformed multi-master font in a document"

      All of them, along with the rest of Windows 7.

    2. Anonymous Coward
      Anonymous Coward

      Re: "a miscreant can include a malformed multi-master font in a document"

      If your OS can be pwned simply by opening a document sent in an email, your OS is not for purpose.

      Spam is an annoyance, not a security risk.

      1. LDS Silver badge

        Re: "a miscreant can include a malformed multi-master font in a document"

        Is it much different if it's a font for whatever your browser displays? Or downloaded from it? Email is just one of the several channels you can use to deliver external contents on someone else's computer.

        1. Paul Hovnanian Silver badge

          Re: "a miscreant can include a malformed multi-master font in a document"

          But in real operating systems the e-mail client, browser or any other applications run with the permissions granted to the user that runs them. And if configured properly, users (other than admin, root, etc.) don't have permission to mess with kernel data and trusted binaries.

    3. Mike 16 Silver badge

      ... and expecting me to open it ...

      As I read the article, you don't _have_ to open it. All you need to do is fail to catch one of the many "features" that include Preview (E.G. Lookout or Windows Exploder). That _preview_ will invoke a series of unfortunate events.

      Last time I had to use Windows at work, the Outlook preview pane seemed to be the main enabler for malware. And yet many (most?) in the office found it too convenient to lose. Apparently nothing has changed in a decade.

      (Yes, other handy applications, and websites (gmail?), will obligingly load images etc. "just in case" you want them. It is the usual Whack-a-Mole to keep disabling it after "upgrades".)

    4. Michael Wojcik Silver badge

      Re: "a miscreant can include a malformed multi-master font in a document"

      That means that the miscreant is sending me a mail with a document attached

      MIME called to let you know that many MUAs support embedding fonts for the main message text, no attached document necessary. Perhaps you have an MUA that's smart enough to ignore that bullshit, or at least let you configure it to be smart enough to ignore that bullshit.

      In either case, it's more likely that said miscreant sends an email to someone you know, with some social engineering to get that person to forward it to various others. If I wanted to spread an email-borne virus around, I'd just send it to a mailing list, or kick off one of those agonizingly long everyone-forwards-the-entire-chain-thus-far email threads so popular at work.

      Filtering by senders and subjects helps, but it's not perfect.

  7. oiseau Silver badge
    FAIL

    Guaranteed

    All supported versions of Windows are affected.

    ... exclusively supported by Microsoft ...

    Well ...

    So much for the ... guaranteed to be healthy and well looked-after for the next six months.

    O.

  8. Ken Moorhouse Silver badge

    A bunch of Dodgy Characters

    Basically, this is what these fonts boil down to, innit?

    Offenders should be subjected to Capital Punctuation.

  9. Anonymous Coward
    Anonymous Coward

    Why the Details pane?

    I understand that Preview is a risk, but why also the Details pane? I thought it doesn't open the document in any way, but just displays the file name and metadata in the standard Windows Explorer font.

    1. It's just me
      FAIL

      Re: Why the Details pane?

      If I recall correctly, for at least some file types, Windows runs the file in the associated application in order to extract that metadata.

  10. Mark 85 Silver badge

    Other browsers?

    Are other browsers affected by this? I'm only seeing warnings for MS flavors.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020