Critical Security Flaw Hits Windows 7 and 8 Hardest

John Lister's picture

Microsoft has warned users of a significant unpatched security flaw in Windows. It's offered some key steps to take while the problem is being fixed.

The problem affects all currently supported versions of Windows, though Windows 7 and 8 machines are affected 'critically' according to the Microsoft advisory bulletin. Attacks on Windows 10 machines are considerably more constrained due to its enhanced security features.

Microsoft says its currently only aware of targeted attacks on Windows 7 machines, though that could change now the bug has been made public. (Source: microsoft.com)

Adobe Type Manager is the Problem

The problem is with the Windows Adobe Type Manager Library, which handles typefaces. The vulnerability could allow attackers to remotely execute code on the machine, which constitutes a "critical security risk."

In this case, the malicious document can be programmed to download a malicious program onto the system, then execute it with the highest privileges. In turn, this can grant cyber criminals unrestricted access to the system using remote access.

Once a remote connection is enabled, cyber criminals (or "bots") will infiltrate the system and network, where a payload (typically ransomware) is delivered. Once ransomware is on the system, all files are encrypted and the only way to get it back is by paying cyber criminals thousands of dollars or by using a backup to restore data, if available.

Windows 7 Users: Read Carefully

Since Windows 7 has officially reached its end of life in January 2020, this exploit is particularly worrying for those who continue to use the operating system despite it being no longer supported by Microsoft. This means that Windows 7 will no longer receiving security updates to patch bugs, as what's mentioned in this article.

It is for this reason that anyone who uses Windows 7 should upgrade their systems (preferably to Windows 10). If you need help with the upgrade, contact Dennis as he can do it for you using his remote desktop support service.

Related:

How the Attack Works

The attack works in two ways: by the victim opening a specially crafted document, or by the victim viewing the document in the Preview Pane feature of Windows Explorer or File Explorer.

Fortunately such attacks are more limited in Windows 10 thanks to its sandboxing feature, which means the attacker could only run code in a restricted "area" of the computer, rather than accessing other resources as with Windows 7 machines, for example.

Temporary Workaround: How to Protect Against Attacks

One option for users of older systems is to find and rename a file called ATMFD.DLL, though this solution is for particularly confident users only. Instead, Microsoft recommends the best option is to disable the Preview feature.

To disable the Preview feature for Windows 10:

  1. Open Windows Explorer, then click the View tab.
     
  2. Clear both the Details pane and Preview pane menu options.
     
  3. Click Options, and then click Change folder and search options.
     
  4. Next, click the View tab.
     
  5. Under Advanced settings, check the Always show icons, never thumbnails box.
     
  6. Close all open instances of Windows Explorer for the change to take effect or reboot the machine.

For earlier versions of Windows, the Preview feature can be disabled using the following method:

  1. Open Windows Explorer, click Organize, and then click Layout.
     
  2. Clear both the Details pane and Preview pane menu options.
     
  3. Next, click Organize, and then click Folder and search options.
     
  4. Click the View tab. Under Advanced settings, check the Always show icons, never thumbnails box.
     
  5. Close all open instances of Windows Explorer for the change to take effect, or reboot the machine.

Another protective measure is to disable the Windows WebClient service:

  1. Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
     
  2. Right-click WebClient service and select Properties.
     
  3. Change the Startup type to Disabled. If the service is running, click Stop.
     
  4. Click OK and exit the management application.

As well as making these changes, Microsoft recommends taking particular care at this to be wary of downloading or opening unexpected or suspicious file attachments.

What's Your Opinion?

Had you heard of this risk before reading this article? Should Microsoft have a way to directly contact Windows users when such a threat appears? Should Microsoft remotely disable the Preview feature if that were technically possible?

Rate this article: 
Average: 5 (16 votes)

Comments

buzzallnight's picture

to rename ATMFD.DLL