Generally, Microsoft announces vulnerabilities when they release patches on their (in)famous Patch Tuesday releases. That usually means bad actors only have a chance to investigate and exploit a vulnerability after the patch is released, leaving a small window of opportunity to use the vulnerability in attacks before systems have the patch applied.
On March 22, a 0-day vulnerability was announced that affects supported versions of Windows, including Windows 7. According to Microsoft, this vulnerability has been used in some limited targeted attacks in the wild against Windows 7. Per their advisory, an attacker would need to trick a user into opening a malicious document or viewing it in the Preview Pane of Windows Explorer. At the time of this article, Microsoft plans to release a patch for this vulnerability in April’s Patch Tuesday drop.
This means there is an increased risk over the next few weeks for files delivered via malicious emails. It should also be noted that versions of Windows 10 and the corresponding Server versions experience minimal risk from this vulnerability because the fonts are processed in a user mode AppContainer sandbox, which limits the overall impact.
In the article, Microsoft goes on to recommend three workarounds. Which one you implement will depend on what level of impact your supported end users can tolerate. All of them will limit the ability for a user to view documents in the Preview Pane of Windows Explorer. It should also be noted that the Outlook Preview Pane is NOT included in this vulnerability.
The workarounds can vary from system to system, and you can view the individual steps in the advisory. Consider any effects these may have on your customers before you enable any workaround. If you would like to test and execute the “rename ATMFD” workaround, our Head Automation Nerd Marc-Andre Tanguay has built an AMP for you to download and review. Of course, you should run through the execution and effects on a test system before rolling out to your end users. Remember, this .dll does not exist on Windows 10 version 1709 and above.
You should also consider other mitigations to protect against any opportunistic bad actors.
As with any threats that must be delivered to and accessed by an end user, it is important to ensure your other layers of protection are in place and current:
We will wait to see whether Microsoft releases an out-of-band patch or waits until the April Patch Tuesday to fix this vulnerability. At that time, you would want to undo any workarounds you put in place to restore the full experience to your end users (the instructions to undo these workarounds are also included in the advisory). If you are still running Windows 7, bear in mind that unless you have purchased an ESU agreement, you will likely not receive any patches for this vulnerability and should consider upgrading to a supported operating system, as well as ensuring other mitigations are up-to-date and protecting the affected systems.
Let’s stay safe out there!
Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.