0Patch publishes micropatch to address Windows Font Parsing vulnerability

Microsoft published an advisory about a new font parsing vulnerability in Windows on March 23, 2020. The company rated the vulnerability as critical and said that it was aware of limited targeted attacks exploiting the vulnerability.

Microsoft listed several workarounds to mitigate attacks but they all reduced functionality for users in one way or another.

Microsoft has yet to release a security patch to address the issue for all versions of Windows affected by the vulnerability.

Security company 0Patch, well-known for its pledge to create and distribute patches for the Windows 7 and Windows Server 2008 R2 operating systems that ran out of official support this year. While business and Enterprise customers may extend support by up to three years, home users cannot officially and 0Patch patches.

Microsoft already announced that it won’t provide the font parsing patch for unsupported versions of Windows 7 while it will provide it to companies and Enterprise organizations that have joined the ESU program to receive extended support updates.

0Patch announced today that it has created a micro-patch for the font parsing vulnerability that affects all major client and server versions of the Windows operating system.

A blog post on the official 0Patch blog lists the official information and analyzes the workarounds that Microsoft posted. While all work to a degree, all have disadvantages that 0Patch highlights. Disabling the preview pane, details pane and thumbnails in Windows Explorer for example only blocks attacks when the file manager is used but it won’t protect against other attack vectors.

font parsing vulnerability fixed

The team analyzed the vulnerability — it had to since Microsoft did not disclose details about it — and found a solution that it turned into a micro patch.

Basically, what 0Patch did was put a bouncer in front of font operations if Adobe Type 1 Script fonts are used so that the vulnerability cannot be exploited.

So we decided to find the common execution point that various Windows applications such as Windows Explorer, Font Viewer, and applications using Windows-integrated font support are using to pass a font to Windows, then place a bouncer there that would keep Adobe Type 1 PostScript fonts out.

The blog post goes into detail and users interested in additional details may check it out for additional information on the implementation.

All administrators need to do is install the micro patch on the device to protect it against the vulnerability.

With this micropatch in place, all applications using Windows GDI for font-related operations will find any Adobe Type 1 PostScript fonts rendered invalid and unable to load. For example, Windows Explorer will start looking like this when viewing a folder with a pair of otherwise valid PFM and PFB files.

The patch is available for free for Windows 7 64-bit and Windows Server 2008 R2 without Extended Security Updates. 0Patch plans to create patches for ESU versions of Windows 7 and Windows Server 2008 R2, as well as Windows 8.1 and Windows Server 2012 soon as well.

Windows 10 and Server won’t receive the patch as these systems face less of a risk from the vulnerability than previous versions of Windows.

Here is a video by the company:

Now You: Do you use 0Patch software to micro-patch vulnerabilities?

Thank you for being a Ghacks reader. The post 0Patch publishes micropatch to address Windows Font Parsing vulnerability appeared first on gHacks Technology News.

Critical font parsing issue in Windows revealed (fix inside)

Microsoft published an advisory yesterday concerning a recently detected font parsing issue that affects all supported versions of the company’s Windows operating system (including Windows 7).

The issue is rated critical, the highest severity rating. Microsoft notes that it is aware of limited targeted attacks and that it is working on a fix to close the vulnerability.

The remote code vulnerability is found in the Adobe Type Manager Library and attackers have multiple options to exploit the issue including convincing users to open a specially crafted document or viewing the document in the preview pane of File Explorer / Windows Explorer.

Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.

A workaround has been published by Microsoft that prevents attacks targeting Windows Explorer / File Explorer. Microsoft notes that the workaround does not “prevent a local, authentication user from running a specially crafted program to exploit the vulnerability”.

The workaround:

For Windows 7, Windows 8.1 and Windows Server 2008 R2, 2012 and 2012 R2:

  1. Open a Windows Explorer instance and select Organize > Layout.
  2. Disable the Details pane and Preview pane options (if they are enabled. You should notice that the panes are not displayed when disabled)
  3. Select Organize > Folder and search options.
  4. Switch to the View tab.
  5. Under Advanced Settings, check “Always show icons, never thumbnails”.
  6. Close all Windows Explorer instances.

For Windows 10, Windows Server 2016 and 2019:

always show icons

  1. Open File Explorer and switch to the View tab when it opens.
  2. Clear the Details and Preview pane so that these are not displayed in File Explorer anymore (if they were displayed previously).
  3. Select File > Change folder and search options.
  4. Check Always show icons, never thumbnails in Advanced Settings.
  5. Close all File Explorer instances so that the changes can take effect.

The changes can be undone once the fix landed in Windows. Just repeat the steps outlined above but instead of clearing or checking the options, you’d do the opposite.

For systems on which the WebClient service is used, Microsoft recommends disabling the service for the time being as it blocks “the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service”.

Disabling the service will result in WebDAV requests not being transmitted. Also, any service that depends on the WebClient service will not start.

Here is how that is done:

  1. Use Windows-R to bring up a Run box.
  2. Type services.msc and click OK to open the Services Management window.
  3. Locate WebClient in the Services listing, right-click on it and select Properties.
  4. Switch the Startup type to Disabled.
  5. If WebClient is running, select Stop.
  6. Click ok and close the Services management interface.

Administrators who manage Windows 10 version 1703 and earlier systems, including Windows 8.1 and 7, may also disable ATMFD using the Registry.

Here is the script that you need to run:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows]
“DisableATMFD”=dword:00000001

Non-ESU Windows 7 systems won’t receive the security update according to Microsoft.

Thank you for being a Ghacks reader. The post Critical font parsing issue in Windows revealed (fix inside) appeared first on gHacks Technology News.

Emsisoft Emergency Kit 2020 update brings a new interface design and dark mode

Emsisoft Emergency Kit has been my go-to secondary scanner for a few years now. I make it a habit to scan each and every program that I download once with the scanner and also with Windows Defender and Malwarebytes Anti-Malware.

Emsisoft Emergency Kit 2020 Update

So, as per my routine I opened EEK, checked for updates before scanning some new applications that are in my review list. When it completed the update, something looked different, there was a new interface. A quick search revealed that it had been released yesterday.

Fortunately I did save the previous version’s installer, so I installed it on my USB flash drive to observe the changes. So, here’s what’s new in Emsisoft Emergency Kit 2020. It still has the Dual Scanning engine powered by Bitdefender and Emsisoft. But the interface looks more polished with a lighter color palette. The visual improvements were added to keep the program in line with the company’s premium antivirus’ GUI.

There are four tiles on the main screen of Emsisoft Emergency Kit: Scan and Clean, Quarantine, Logs and Settings.

Here’s a screenshot from the previous version for reference. Can you tell what’s different between the two?

Emsisoft Emergency Kit old interface

The toolbar beneath the primary options has been replaced by text links. The old version had the Settings shortcut on the toolbar, but it has its own tile in the latest update, while the other three tiles have moved a step to the left. The Update option has been moved to the right edge of the screen, you can still see the “last update” information to the left of the update button. The Quick Scan option is available on the overview screen, earlier you had to click on scan and then select the option.

Emsisoft Emergency Kit 2020 interface

The official release notes don’t mention it, but the side bar to the left of the interface is a new addition as well. Click on the three-line hamburger menu in the top left corner of the screen to expand the side panel. This allows you to jump between the following screens: Overview, Scan, Quarantine, Logs, Settings. The Scan percentage is visible on the side bar, which is useful if you have navigated to a different screen.

Emsisoft Emergency Kit 2020 Update - scans

Click on the Settings option and you’ll see a new option called Appearance. This allows you to switch between Bright and Dark Mode without having to restart the program.

Emsisoft Emergency Kit 2020 Update - dark mode

The other options in the malware removal tool pretty much remain the same. You can read our review of the previous version for more details.

Emsisoft Emergency Kit 2020 Update - settings

The announcement at the official blog says that there are “Several minor tweaks and fixes” in the Emsisoft Emergency Kit 2020 update though it doesn’t go into the details as to what they are.

Emsisoft Emergency Kit quick scan

The Quick scans was quite fast at about 30 seconds, the malware scan took about 4 minutes (all tests done with multiple programs running in the background and default settings). These seem similar to the previous gen’s performance. From what I can tell, they have given it the “if it ain’t broke, don’t fix it” treatment, which is always good.

Thank you for being a Ghacks reader. The post Emsisoft Emergency Kit 2020 update brings a new interface design and dark mode appeared first on gHacks Technology News.

Avast shuts down Jumpshot

Avast CEO Ondrej Vlcek announced today on the official Avast blog that the company will shut down Jumpshot, a subsidiary which sold data provided by Avast products to third-party companies.

Avast, best known for its antivirus solutions for various operating systems, expanded significantly in recent years. The company acquired its competitor AVG in 2016 and Piriform, maker of CCleaner in 2017. It also owns HideMyAss, a popular VPN and browser proxy provider.

Wladimir Palant, creator of the popular content blocking solution AdBlock Plus, published an analysis of Avast’s extensions for browsers in late 2019 on his personal blog. He concluded that Avast was collecting more data than it could possibly need to provide security to its users. Mozilla and Google pulled Avast extensions from their stores temporarily at that time but reinstated them soon therafter after Avast made changes to them.

A joint investigation by Vice and PC Magazine revealed additional details about Jumpshot’s business practices. The report confirmed that Jumpshot sold data collected by Avast products to third-party companies after processing it.

Avast Free Antivirus - interface

Avast CEO Ondrej Vlcek apologized today stating that “Jumpshot has hurt the feelings of many” and that the whole incident “raised a number of questions” including the “fundamental question of trust”.

He goes on to say that Avast’s top priority is to protect people and that “anything to the contrary is unacceptable”.

Avast started Jumpshot in 2015 to extend its “data analytics capabilities beyond core security”. It believed that it could do this “more securely” than other companies that collected data. Jumpshot operated as an independent company according to Vlcek but always within legal bounds.

Avast’s new CEO, who took over seven months ago according to the blog post, started to evaluate every bit of the company’s business when he took over. He concluded (when is not clear) that the data collecting business was not in line with Avast’s “privacy priorities”.

The decision was made to shut down Jumpshot.

I firmly believe it will help Avast focus on and unlock its full potential to deliver on its promise of security and privacy. And I especially thank our users, whose recent feedback accelerated our decision to take quick action.

Closing Words

Avast will have a hard time regaining the trust of its users and ex-users. Time will tell if the company manages to make the u-turn to focus on its core business, security. It will also be interesting to see how the shutting down will affect Avast’s financially.

Now You: what is your take on Avast’s decision?

Thank you for being a Ghacks reader. The post Avast shuts down Jumpshot appeared first on gHacks Technology News.

Antivirus for Windows 7: support continues

All antivirus solutions remain supported on Microsoft’s Windows 7 operating system after Microsoft ended support for it on January 14, 2020.

The Windows 7 operating system has a large usage base even after support end. While the trend showed a decline for some time, latest NetMarketShare usage stats suggest that it is still installed on over 30% of desktop devices worldwide.

Enterprise customers and businesses may buy support extensions for up to three years; Microsoft decided against making the same offer to users of Home versions of Windows 7.

While Microsoft’s support ended in January, some of the company’s products and most third-party products continue to support Windows 7 at least for the time being.

Antivirus solutions are essential for devices that connect to the Internet or public networks, especially if the operating system itself is out of support and won’t receive security updates anymore.

Tip: Home users may use the solution provided by 0Patch to receive some free (some paid) security patches for Windows 7 after support end.

antivirus support windows 7

Antivirus solutions never provide 100% protection and that is even more so the case when it comes to operating systems that are not supported with security patches anymore. A good antivirus solution may however prevent certain attacks or reduce the impact that these attacks have, especially if it is updated regularly.

German antivirus testing institute AV Test wanted to know which antivirus solutions would continue to support Microsoft’s Windows 7 operating system after support end, and for how long.

The institute contacted antivirus companies to find out and published a table of its findings on its website. According to the information, most antivirus solutions continue to be supported on Windows 7 for at least two years. All companies continue to support their antivirus solution with signature updates for the time being.

Here is the summary:

  • Microsoft Security Essentials — no more program updates, but signature updates continue to be provided.
  • Sophos — on premise support until December 2020, cloud-managed support until June 2021.
  • McAfee — at least until December 2021.
  • F-Secure – at least until December 2021.
  • Avira — support ends November 2022.
  • AhnLab, AVG, Avast, Bitdefender, Bullgard, Carbon Black, ESET, FireEye, G Data, Ikarus, Kaspersky, K7 Computing, Microworld, PC Matic, Quickheal, Sqqrite, Symantec/NortonLifeLock, ThreatTrack / Vipre, TotalAV, Trend Micro — support for at least 2 years.

Now You: Still on Windows 7? What do you plan to do about it? (via Born)

Thank you for being a Ghacks reader. The post Antivirus for Windows 7: support continues appeared first on gHacks Technology News.