[German]Small hint for administrators of large Windows environments in the Active Directory environment who need to plug the ADV200006 0-day vulnerability. Mitigation is possible using Group Policy.
The Windows 0-day vulnerability ADV200006
In all supported Windows versions, there are two unpatched vulnerabilities in the Adobe Type 1 Manager Library. Both vulnerabilities allow remote code execution because the Windows Adobe Type Manager Library does not correctly handle a specially crafted multi-master font, the Adobe Type 1 PostScript format. An attacker could exploit this vulnerability, for example, by tricking a user into opening a specially crafted document or viewing it in the Windows preview window.
The information is found in ADV200006, all Windows versions are affected, from Windows 7 SP1 to Windows 8.1 and Windows 10 – and of course all server counterparts. On systems running Windows 10, a successful attack can only occur in an AppContainer sandbox context, and thus only allows limited permissions and code execution capabilities. Hackers are now trying to exploit this vulnerability. Microsoft is aware of this vulnerability and is working on a fix, but has not yet released a patch. I expect to have it on the regular patchday, April 14, 2020.
Mitigate vulnerabilities via GPO
Microsoft provides workarounds for older operating systems such as Windows 7 SP1 and Windows 8.1 and their server counterparts to prevent the vulnerability from being exploited. Microsoft has published these workarounds in ADV200006. However, these approaches are not viable in larger corporate environments
FYI, i created a blog post which describes how to mitigate this in a large AD environment using GPOs – here is post link: https://t.co/BtVt3ejZvw #ActiveDirectory #GPO #ADV200006 pic.twitter.com/kUUVIlEW4m
— Sylvain Cortes (@sylvaincortes) March 29, 2020
Microsoft MVP Sylvain Cortes has written a blog post on how to use Group Policy to make it more difficult or impossible to exploit the vulnerabilities in question. This includes turning off the preview in Windows Explorer and disabling the WebClient – both measures also suggested by Microsoft in ADV200006. Details can be found in the corresponding blog post.