The vulnerability stems from the Adobe Type Manager Library, a Windows 10 DLL file used to manage fonts across various apps. When a hacker exploits the flaw, they can trick a user into opening or viewing a document then use one of two known remote code executions to plant harmful code in the victim’s system.
Windows 10 update breaks your PC’s antivirus: What to doWindows 10 getting major UI overhaul — here’s our first look
Microsoft didn’t disclose which groups or individuals are exploiting the vulnerability or what damage the attacks have caused. It’s also possible, as Ars Technica points out, that targeted attacks were only attempted but never succeeded in taking over a system. These attacks most likely targeted high-profile individuals, like government officials. “Microsoft is aware of limited, targeted attacks that attempt to leverage this vulnerability,” Monday’s admitted in an advisory (opens in new tab). “For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.”
Windows 10 flaw: What to do
While there isn’t an update to patch the vulnerability just yet, Microsoft says it’s working on a fix and noted that “Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.” The company stopped short of promising an April 14 update, but we expect Microsoft is aiming for the second Tuesday of next month. Until then, Microsoft suggests a few workarounds: disable the preview and details pane in Windows Explorer, disable the WebClient service, and rename ATMFD.DLL or disable the file from the registry. Each of these actions has its advantages in preventing an attack, but they also cause some services to stop responding. For example, disabling the preview pane in Windows Explorer will prevent a malicious file from being viewed, but it doesn’t stop local attacks and Open Type fonts won’t be automatically displayed. Disable the WebClient service will block any remote attempts to exploit a system but attackers who are already inside the PC can run apps on the computer or LAN. You can read Microsoft’s advisory (opens in new tab) for detailed steps on how to execute the workarounds, their potential impact, and how to undo them when a proper patch is released.