What this could mean for your clinical network and what you can do to mitigate the risks

Type 1 Font Parsing Remote Code Execution Vulnerabilities

On March 23, Microsoft issued an Advisory on two critical remote code execution (RCE) vulnerabilities in the Adobe Type Manager Library that are actively being exploited. These vulnerabilities affect all supported versions of Windows and Windows Server operating systems, as well as Windows 7. (For a full list, see the Advisory.)

These vulnerabilities may allow an unauthenticated remote attacker to execute arbitrary code and take control of an affected system. Currently, there is no available patch to fix this vulnerability. Microsoft is “aware of limited, targeted attacks” that have attempted to exploit these un-patched vulnerabilities.

About the Vulnerabilities

Adobe Type Manager is a Windows DLL file that is used by a wide variety of apps to manage and render fonts available from Adobe Systems. The two remote code execution vulnerabilities have been found in the way the Microsoft Windows Adobe Type Manager library handles a malicious “specially-crafted” multi-master font, specifically the Adobe Type 1 PostScript format.

An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted document or view it in the Windows Preview pane. Successful exploitation may allow an unauthenticated remote attacker to execute arbitrary code with kernel privileges on a vulnerable system.

Exposure in Healthcare Delivery Organizations

Core medical devices are less probable to be affected, as they do not utilize Windows Explorer. However, this vulnerability might still put hospital networks at risk, as it might affect some of the medical devices, workstations and other computing systems in the network.

Mitigations and Remediations

The Advisory stated that Microsoft is working on a fix, noting that “Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.” This suggests that a patch for these vulnerabilities won’t be available until April’s Patch Tuesday. 

In the meantime, healthcare delivery organizations need to protect themselves against these vulnerabilities. We suggest:

  • Identifying all systems affected – Medigate can help you identify which systems in your network use the affected software, so you can understand the scope of your exposure and take steps to protect your environment. 
  • Monitoring for suspicious requests to view untrusted documents. 
  • Instructing users to not open any suspicious files. We know this is extremely challenging during this time – as the world fights the Coronavirus pandemic, cyberattackers have up’d their game and are using COVID-19 in their phishing emails and ransom attacks.
  • Following Microsoft’s recommended workarounds, but please check with the manufacturer to consider and understand any potential risks and benefits of using these workarounds:
      • Disable the review and details panes in Windows Explorer to prevent malicious files from being viewed. However, it is important to know that while this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit the vulnerability. 
      • Disable the WebClient service and rename the ATMFD.DLL file. 
      • For more information see Microsoft Advisory.

Once a patch is available, best practice is to apply it as soon as possible, under the consent and approval of the manufacturer.

For more information or support, you can contact us here