【安全通报】Adobe Type 1字体解析漏洞引发的远程代码执行

近日,微软官方发布了一份安全通报,表示检测到网络中有攻击者使用了Adobe Type Manager Library中0day漏洞,进行远程代码执行攻击。由于尚未发布补丁,因此特意指导相关用户实施暂时防御措施,降低安全风险。

22.png

Type1全称Postscript Type1,是1985年由Adobe公司提出的一套矢量字体标准,由于这个标准是基于Postscript Description Language(PDL),而PDL又是高端打印机首选的打印描述语言,所以Type1迅速流行起来。

漏洞存在的原因主要是Windows Adobe Type Manager Library没有正确处理攻击者特殊制作的multi-master字体——Adobe Type 1 Postscript 格式。

攻击者可通过类似钓鱼的方式发起攻击,例如诱骗用户打开恶意文档等。微软将在下一个补丁发布日修复漏洞。

危害等级

高危

漏洞原理

由于Windows Adobe Type Manager Library没有正确处理攻击者特殊制作的multi-master字体——Adobe Type 1 Postscript格式,导致出现远程代码执行漏洞。

漏洞影响

Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)

CVE编号

暂无

修复建议

目前官方尚未发表补丁,针对不同版本操作系统提供了多种修复方法,详情可见以下链接:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200006

此处介绍重命名ATMFD.DLL的方式(从Windows 10版本1709开始的Windows 10中不存在ATMFD.DLL):


1.对于32位用户

在管理员权限的命令行中输入

cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F) 
rename atmfd.dll x-atmfd.dll

重启系统。

2.对于64位用户

在管理员权限的命令行中输入:

cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F) 
rename atmfd.dll x-atmfd.dll
cd "%windir%\syswow64"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F) 
rename atmfd.dll x-atmfd.dll

重启系统。

参考

[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200006

[2] https://mp.weixin.qq.com/s/zFgA_Gtq22jR3WSuRpptiA

[3] https://baike.baidu.com/item/%E7%9F%A2%E9%87%8F%E5%AD%97%E4%BD%93

白帽汇从事信息安全,专注于安全大数据、企业威胁情报。

公司产品:FOFA-网络空间安全搜索引擎、FOEYE-网络空间检索系统、NOSEC-安全讯息平台。

为您提供:网络空间测绘、企业资产收集、企业威胁情报、应急响应服务。

免责声明:文章内容不代表本站立场,本站不对其内容的真实性、完整性、准确性给予任何担保、暗示和承诺,仅供读者参考,文章版权归原作者所有。如本文内容影响到您的合法权益(内容、图片等),请及时联系本站,我们会及时删除处理。查看原文

为您推荐