Windows code-execution zeroday is under active exploit, Microsoft warns

1、 基本情况

  近日,监测发现微软官方发布了一份编号ADV200006 的紧急漏洞通告,通告表示有在野攻击行动使用了位于Adobe Type Manager Library中的两个远程代码执行0Day漏洞。攻击者可通过多种场景实施攻击,比如说服受害者在Windows的预览中访问一个特殊构造的文档。微软官方暂未发布修复补丁,目前只提供缓解方式,鉴于漏洞危害较大,建议广大用户先参考对应的缓解方案处理。

2、 攻击原理

  据悉,这两个远程代码执行漏洞的原因主要是Windows Adobe Type Manager Library并没有正确处理特殊构造的多重母版字体——Adobe Type1 PostScript格式,受影响系统版本非常多,已停止服务的WIN7也受到漏洞影响。

  攻击者可通过多种场景实施攻击,比如说服受害者在Windows的预览中访问一个特殊构造的文档。

3、 影响范围

  受影响版本:
  Windows 10 for 32-bit Systems
  Windows 10 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems
  Windows 10 Version 1607 for x64-based Systems
  Windows 10 Version 1709 for 32-bit Systems
  Windows 10 Version 1709 for ARM64-based Systems
  Windows 10 Version 1709 for x64-based Systems
  Windows 10 Version 1803 for 32-bit Systems
  Windows 10 Version 1803 for ARM64-based Systems
  Windows 10 Version 1803 for x64-based Systems
  Windows 10 Version 1809 for 32-bit Systems
  Windows 10 Version 1809 for ARM64-based Systems
  Windows 10 Version 1809 for x64-based Systems
  Windows 10 Version 1903 for 32-bit Systems
  Windows 10 Version 1903 for ARM64-based Systems
  Windows 10 Version 1903 for x64-based Systems
  Windows 10 Version 1909 for 32-bit Systems
  Windows 10 Version 1909 for ARM64-based Systems
  Windows 10 Version 1909 for x64-based Systems
  Windows 7 for 32-bit Systems Service Pack 1
  Windows 7 for x64-based Systems Service Pack 1
  Windows 8.1 for 32-bit systems
  Windows 8.1 for x64-based systems
  Windows RT 8.1
  Windows Server 2008 for 32-bit Systems Service Pack 2
  Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  Windows Server 2008 for Itanium-Based Systems Service Pack 2
  Windows Server 2008 for x64-based Systems Service Pack 2
  Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  Windows Server 2008 R2 for x64-based Systems Service Pack 1
  Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  Windows Server 2012
  Windows Server 2012 (Server Core installation)
  Windows Server 2012 R2
  Windows Server 2012 R2 (Server Core installation)
  Windows Server 2016
  Windows Server 2016 (Server Core installation)
  Windows Server 2019
  Windows Server 2019 (Server Core installation)
  Windows Server, version 1803 (Server Core Installation)
  Windows Server, version 1903 (Server Core installation)
  Windows Server, version 1909 (Server Core installation)

4、 处置建议

  微软在通告中提供了多种选择,用户可以自行选择(具体见参考链接),此处主要建议重命名ATMFD.DLL文件的方式。

  32位操作系统缓解方式:

  1.在管理员权限的命令行里输入

  cd "%windir%system32"
  takeown.exe /f atmfd.dll
  icacls.exe atmfd.dll /save atmfd.dll.acl
  icacls.exe atmfd.dll /grant Administrators:(F)
  rename atmfd.dll x-atmfd.dll

  2.重启系统

  64位操作系统缓解方式:

  1.在管理员权限的命令行里输入

  cd "%windir%system32"
  takeown.exe /f atmfd.dll
  icacls.exe atmfd.dll /save atmfd.dll.acl
  icacls.exe atmfd.dll /grant Administrators:(F)
  rename atmfd.dll x-atmfd.dll
  cd "%windir%syswow64"
  takeown.exe /f atmfd.dll
  icacls.exe atmfd.dll /save atmfd.dll.acl
  icacls.exe atmfd.dll /grant Administrators:(F)
  rename atmfd.dll x-atmfd.dll

  2.重启系统

5、参考链接

  1) https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200006