[Fix] Critical Font Vulnerability in Windows 7, 8/8.1 and Windows 10
On March 23, 2020, Microsoft published a security advisory ADV200006 (Type 1 Font Parsing Remote Code Execution Vulnerability) about limited targeted attacks that could leverage un-patched vulnerabilities in Adobe Type Manager Library.
The vulnerability is present in all Windows versions such as Windows 7, Windows 8/8.1, Windows 10, Windows RT 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019. The vulnerability is found in all Windows editions and architecture type such as 32-bit (x86), 64-bit (x64), ARM64 and Itanium-based.
Related: How to Check Which Windows Version is Installed in My Computer?
Advertisement
Microsoft told that two remote code execution vulnerabilities exist in these Windows versions when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.
There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.
Microsoft is aware of this vulnerability and working on a fix. But updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.
So in the meantime, users need to manually patch these vulnerabilities by following methods given in this article until the security update is released for all affected Windows versions.
Table of Contents
A. Disable Preview Pane and Details Pane in Windows Explorer
Since an attacker could exploit the vulnerability by previewing OTF fonts in preview pane, the first thing you need to do is turn off Preview Pane and Details Pane in Windows Explorer (also known as My Computer, This PC or File Explorer).
1. Open This PC or File Explorer from Desktop or using WIN+E hotkey.
2. Now disable Preview Pane and Details Pane. You can quickly and easily disable Preview Pane and Details Pane by pressing ALT+P and ALT+SHIFT+P hotkeys respectively. Pressing these keys toggles the appearance of Details Pane and Preview Pane. So press these hotkeys until both panes get disappear.
Advertisement
Alternatively, you can also disable Details Pane and Preview Pane using “Organize -> Layout” menu or “Ribbon -> View” tab.
B. Disable Thumbnails View in Windows Explorer
1. Open This PC or File Explorer and open Folder Options (from Tools menu in Windows XP, from Organize menu in Windows 7, from Ribbon -> View in Windows 8/8.1 and Windows 10).
2. Go to View tab in Folder Options and enable “Always show icons, never thumbnails” option.
Apply changes and close Windows Explorer.
C. Disable WebClient Service
Disabling WebClient service will help protect all affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.
1. Press WIN+R keys together to launch RUN dialog box, type services.msc and press Enter. It’ll open Service Manager.
2. Now scroll down and look for WebClient service.
3. Double-click on WebClient service to open its Properties window. Now set “Startup type” to “Disabled” from the drop-down box and apply changes.
Close Services Manager.
D. Rename ATMFD.DLL File
NOTE: ATMFD.DLL file is not present in Windows 10 version 1709 and later. So you need to follow this method for other Windows versions.
1. Open Command Prompt as Administrator using any method given in following tutorial:
[Guide] Different Ways to Open Command Prompt as Administrator in Windows
2. Now run following commands in Command Prompt:
cd “%windir%\system32”
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
If you are using 64-bit (x64) edition of Windows, you’ll need to run following extra commands as well:
cd “%windir%\syswow64”
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
Close Command Prompt.
E. Disable ATMFD using Registry Editor
1. Press WIN+R keys together to launch RUN dialog box. Now type regedit and press Enter. It’ll open Registry Editor.
2. Now go to following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
3. In right-side pane, create a new DWORD DisableATMFD and set its value to 1
Close Registry Editor and Restart your computer to take effects.
That’s it. Very soon Microsoft will release an official patch or security update to fix this security vulnerability found in all Windows versions.
Dear Vishal Gupta
I wonder a few things as I have disabled remote acces to my PC
Does this concern me nevertheless
Best Regards
Peter Alexander London
PS
Stay healthy in these dark times
Will this be patched for all Win 7 versions even though support has ended?
You wrote: “…create a new DWORD DisableATMFD”
In a 64-bit Windows version, should the new DWORD be a 32-bit Dword or a 64-bit Dword?
^^ New DWORD (32-bit).
@Manny
It should be available for Windows 7 as well.
@Peter Alexander London
I suggest to implement the fixes.
@VG
Thank for your quick respons
I just did the changes
My question now is, do I have change it back manual after a patch is been delivered by MS?
I bookmarked this page to remember me what I changed so I can eventualy reset my PC by hand.
Best regards
Peter Alexander London
^^ No need to undo any changes. But you can if you want after installing the released patch.
Thanks for the info update, Sir VG