0Patch publishes micropatch to address Windows Font Parsing vulnerability

Martin Brinkmann
Mar 27, 2020
Security, Windows
|
20

Microsoft published an advisory about a new font parsing vulnerability in Windows on March 23, 2020. The company rated the vulnerability as critical and said that it was aware of limited targeted attacks exploiting the vulnerability.

Microsoft listed several workarounds to mitigate attacks but they all reduced functionality for users in one way or another.

Microsoft has yet to release a security patch to address the issue for all versions of Windows affected by the vulnerability.

Security company 0Patch, well-known for its pledge to create and distribute patches for the Windows 7 and Windows Server 2008 R2 operating systems that ran out of official support this year. While business and Enterprise customers may extend support by up to three years, home users cannot officially and 0Patch patches.

Microsoft already announced that it won't provide the font parsing patch for unsupported versions of Windows 7 while it will provide it to companies and Enterprise organizations that have joined the ESU program to receive extended support updates.

0Patch announced today that it has created a micro-patch for the font parsing vulnerability that affects all major client and server versions of the Windows operating system.

A blog post on the official 0Patch blog lists the official information and analyzes the workarounds that Microsoft posted. While all work to a degree, all have disadvantages that 0Patch highlights. Disabling the preview pane, details pane and thumbnails in Windows Explorer for example only blocks attacks when the file manager is used but it won't protect against other attack vectors.

font parsing vulnerability fixed

The team analyzed the vulnerability -- it had to since Microsoft did not disclose details about it -- and found a solution that it turned into a micro patch.

Basically, what 0Patch did was put a bouncer in front of font operations if Adobe Type 1 Script fonts are used so that the vulnerability cannot be exploited.

So we decided to find the common execution point that various Windows applications such as Windows Explorer, Font Viewer, and applications using Windows-integrated font support are using to pass a font to Windows, then place a bouncer there that would keep Adobe Type 1 PostScript fonts out.

The blog post goes into detail and users interested in additional details may check it out for additional information on the implementation.

All administrators need to do is install the micro patch on the device to protect it against the vulnerability.

With this micropatch in place, all applications using Windows GDI for font-related operations will find any Adobe Type 1 PostScript fonts rendered invalid and unable to load. For example, Windows Explorer will start looking like this when viewing a folder with a pair of otherwise valid PFM and PFB files.

The patch is available for free for Windows 7 64-bit and Windows Server 2008 R2 without Extended Security Updates. 0Patch plans to create patches for ESU versions of Windows 7 and Windows Server 2008 R2, as well as Windows 8.1 and Windows Server 2012 soon as well.

Windows 10 and Server won't receive the patch as these systems face less of a risk from the vulnerability than previous versions of Windows.

Here is a video by the company:

Now You: Do you use 0Patch software to micro-patch vulnerabilities?

Summary
0Patch publishes micropatch to address Windows Font Parsing vulnerability
Article Name
0Patch publishes micropatch to address Windows Font Parsing vulnerability
Description
0Patch announced today that it has created a micro-patch for the font parsing vulnerability that affects all major client and server versions of the Windows operating system.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. lovejit said on March 30, 2020 at 9:15 am
    Reply

    As soon as possible that new Laptop is getting Mint 19.3(Kernel 5.6) and dual booted with 10(1809) Home and 10 kept offline for obvious reasons.

  2. MoveOnOutOfThere said on March 29, 2020 at 8:14 pm
    Reply

    I’m keeping my Windows 7/7 Pro laptops in a dual boot arrangement with Mint 19.3 since 7 went EOL and 7’s not allowed online to worry about any further patching. So I can still use 7 if needed but mostly that 7 partition remains un-booted on the laptops while Mint 19.3 has the run of the Internet and everyday use.

    Maybe some folks have reasons, dependencies, on MS’s software stack but every single open source software package that I’m using runs better under Mint 19.3 than under Windows, especially some open source graphics software that has some updated OpenGL requirements that require ongoing/continued OS/Driver/Graphics API attention that Linux gets but 7 and 8.1 do not.

    So Blender 2.8/later works fine on one Ivy Bridge based ProBook under Mint 19.3 but on that very same laptop under Windows 7 Pro Blender 2.8 has some crashing going on in that Blender 2.8/later edit mode and its new work-spaces tabs. So 7 and 8.1(Effectively) are deprecated for new Graphics API and Graphics driver support and that’s where Linux/Linux Mint makes all the difference between Blender 3D 2.8/later being usable and unusable on an older Intel Ivy Bridge CPU based laptop.

    And no amount of patching can fix 7’s/8.1’s(Effectively) support being legacy/depreciated in order to force folks towards 10 and that rolling nightmare. It’s just a matter of Linux Kernel 5.6 becoming available as an update Kernel for Mint 19.3 that prevents me from doing the same with Windows 10(1809) Home on my newest laptop that’s currently being kept offline to be kept safe from some Redmond related forced breakage. So as soon as possible that new Laptop is getting Mint 19.3(Kernel 5.6) and dual booted with 10(1809) Home and 10 kept offline for obvious reasons.

    It’s just too much with the 10 feature updates and driver forcing and a brand new laptop that was vetted/certified for Windows 10(1803) home, forced updated to 1809, and that Laptop’s OEM not likely to expend much effort to do any driver/laptop hardware re-certification/re-vetting for the 10(1909) feature update that WU is offering me currently. And that new laptop’s make/model having documented issues with 1903/1909. So unlike under 7/8.1 where a new laptop’s hardware drivers remained relatively stable after release under 7/8.1 that same laptop under 10 becomes rapidly out of date with respect to hardware/drivers under 10’s mad rapid release cadence where everything’s too new and unstable and MS’s end users are used as the BETA testers.

  3. black mamba said on March 29, 2020 at 12:20 pm
    Reply

    > What’s not to understand? Microsoft is a company, where demanding free services of them is silly.

    IMO It’s silly to use MS:Windows. Switch to Linux/BSD free & open source software.

  4. Philip Janissary said on March 29, 2020 at 12:06 pm
    Reply

    When MS ended the support for Windows 7 I was looking for any Ubuntu like alternative to replace 7. But was having a hard time finding one that performs equally well on underpowered system. Will try 0Patch now to see if it enables me use Windows 7 until I buy a new PC.
    However, how’s the privacy record of Acros Security. Can they be trusted with user data?

  5. AJNorth said on March 28, 2020 at 7:06 pm
    Reply

    I have been exceedingly impressed by Mitja Kolsek and his team at 0Patch.

    One client’s machine failed an Internet Explorer 11 test for a critical patch they had issued early on; they were exceedingly generous in their time and effort to diagnose the problem and help in solving it.

    After using 0Patch Pro for a couple of weeks, I began strongly recommending to everyone that I know still running a Windows 7 box that they purchase a Pro license ASAP.

    This company’s commitment to excellence and customer service is reminiscent of what was the commonplace in the 1960s.

  6. Anonymous said on March 28, 2020 at 12:35 pm
    Reply

    “Microsoft already announced that it won’t provide the font parsing patch for unsupported versions of Windows 7 while it will provide it to companies and Enterprise organizations that have joined the ESU program to receive extended support updates.”

    They care about our security when it’s an excuse to collect our browsing history when it’s not necessary. But when it makes them more money to deliberately not distribute security patches that they have already developed, our security is a threat to their bottom line.

    1. getreal said on March 28, 2020 at 7:21 pm
      Reply

      What’s not to understand? Microsoft is a company, where demanding free services of them is silly.

      Microsoft supported Windows 7 longer then they had to, but no longer.

      Although I may not like that, I see no problem with it, as I understand the world doesn’t evolve around me.

  7. Peter Chapa said on March 28, 2020 at 3:30 am
    Reply

    Just purchased pro version yesterday, partly due to this font flaw and Microsoft’s delay in fixing it.

  8. farewell said on March 28, 2020 at 1:36 am
    Reply

    And not a single link to the download. Blessed post

    1. Weilan said on March 28, 2020 at 12:45 pm
      Reply

      I could be wrong, but I think this 0Patch is actually a paid utility that gets you some updates that are enterprise-only.

  9. DirCompUser said on March 27, 2020 at 11:01 pm
    Reply

    I can’t understand this topic. When I searched for

    “DisableATMFD”=dword:00000001

    I found

    https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-077

    which at a cursory glance seems to be about the same (?) problem but dates back five years. Its solution involves adding that registry key but it says for Windows 8 or newer so interesting if it actually works on Windows 7.

    The article says:

    “To exploit the vulnerability, an attacker would first have to log on to a target system and then run a specially crafted application.”

    For the average home user connected to the net how is an attacker going to log on which would require circumventing the router’s firewall and knowing the login ID and pw?

    Or would OSArmor block the exploit?

    As Windows 10 seems to be a timesink of problems I’m waiting till next month when iirc the next Debian lts(?) is due before I clean the remaining stuff off the drive before imaging it and then setting up a dual boot with Debian (or maybe Xubuntu) for internet and W7 for work.

    I suppose I’m just revealing my folly and ignorance but there is a time cost to all this faffing about.

    1. Tom Hawack said on March 28, 2020 at 10:51 am
      Reply

      @DirCompUser, for what is of our present concern, that is the Critical font parsing issue in Windows dated Mars 2020, the information provided by Microsoft, including the workarounds, is all in its ADV200006 at [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006].

  10. Tom Hawack said on March 27, 2020 at 9:55 pm
    Reply

    Quoting 0Patch, as displayed in the article,

    “With this micropatch in place, all applications using Windows GDI for font-related operations will find any Adobe Type 1 PostScript fonts rendered invalid and unable to load.[…]”

    This is exactly what happens when I’ve set one of Microsoft’s workaround :

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    “DisableATMFD”=dword:00000001

    This is not mentioned by 0Patch as they refer only to Microsoft’s workarounds regarding,
    1- Disable the Preview Pane, the Details Pane and thumbnails in Windows Explorer
    2- Disable the WebClient service
    3- Rename ATMFD.DLL

    The registry DisableATMFD seems to work fine here, for instance, if I double-click on Philosopher.otf I get an error message stating this file is not a valid font file …

    So what more will the 0Patch bring? Certainly more than I can presume.
    Windows 7 here, forgot to mention it.

    1. Cigologic said on March 28, 2020 at 12:55 pm
      Reply

      > Tom Hawack: “So what more will the 0Patch bring? Certainly more than I can presume.”

      Actions vs Outcomes:

      1. User disabling ATMFD.DLL via the registry, OR renaming ATMFD.DLL (requires changing file permissions first). Either requires a PC reboot to take effect.
      — A malicious actor with local/remote access to your PC can easily undo the change, before carrying out an attack.

      2. 0Patch’s GDI32.DLL micropatch
      — Supposedly blocks Adobe Type 1 PostScript fonts “from reaching the kernel”, even when the vulnerable ATMFD.DLL is left unchanged & enabled.

      3. Microsoft’s ATMFD.DLL patch
      — Pending for supported OS, but won’t be supplied for Win 7 & older OS.

      Action 1 would prevent *all applications* that utilize Windows’ ATMFD.DLL — including 3rd-party file managers, font viewers, document viewers, email clients (with preview function), etc. — from rendering Adobe Type 1 PostScript & OTF fonts (whether malicious or not) in previews & documents. Presumably Action 2 would have the same outcome.

      If so, this would adversely & *permanently* impact users who need to use/preview such fonts, or documents created with such font types.

      In this sense, 0Patch’s GDI32.DLL micropatch might be considered a permanent “less” where functionality is concerned. And perhaps an unnecessary “more” since the user has to install 0Patch’s propriety console (just to get this modified GDI32.DLL) — & letting an additional 3rd-party process continuously monitor the PC in the background.

      As for Action 3 (whenever Microsoft makes this available to Win 8.1+/10 users), it would be possible to keep ATMFD.DLL enabled, & safely view Adobe Type 1 PostScript & OTF fonts or related documents without getting infected by malformed font files.

      Ideally, in the current era of intensified remote working & keeping up-to-date with SARS-CoV-2 pandemic news using an internet-connected PC, Microsoft should provide a *standalone* hotfix for the significant numbers of Win 7 home, government, corporate & small business users. But since Microsoft chooses not to be socially responsible, what’s there left to say ?

  11. Funkyy said on March 27, 2020 at 8:13 pm
    Reply

    It would be easier for a camel to pass through the eye of a needle than for a poor guy to find the download link for the patch on 0Patch’s site.!!!!!!!!!!!!

    1. CKing123 said on March 28, 2020 at 2:49 am
      Reply

      @Funkyy You must download the 0patch console. It should automatically apply all eligible patches for the system.

      1. Funkyy said on March 28, 2020 at 8:07 pm
        Reply

        Thanks CKing123, since posting my comment I have used the “disable ATMFD” workaround that Microsoft suggested. But thanks for the tip, I’ll try to remember that next time I visit 0Patch.

  12. seeprime said on March 27, 2020 at 7:39 pm
    Reply

    I use 0patch on one of my workstations. So far, so good. Why am I still using Windows 7? I work on computers. When I test hard drives, pulled from a customer machine, and connect them to a workstation to scan and image, Windows 10 is terribly slow, taking up to 20 minutes to open a user account to manually check the files for bad actors. Normally, it only takes a few minutes. All of which is lost time. Windows 7 is virtually instantaneous when doing the same task. Also, 10 slows me down by constantly saying I don’t have permission and then more clicks are needed to do what I do. 7 does not do slow me down. Both 7 and 10 are set up with the same policies. 0patch keeps 7 secure. I have the Pro version. I have no intention of going to Windows 10 on that machine.

    1. Anonymous said on March 31, 2020 at 2:47 am
      Reply

      Windows Ten is another moron member of the TIFKAM family, along with his older “tard” brother Eight, who all need to be ran out of town.

  13. Anonymous said on March 27, 2020 at 6:57 pm
    Reply

    I’m keeping Windows 7 forever. Microsoft keeps ruining Windows on 10. If they want me to upgrade, they will need to get rid of the bug ridden smartphone UI. I need a stable desktop UI to function.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.