{"id":2436,"date":"2020-03-28T19:50:59","date_gmt":"2020-03-28T17:50:59","guid":{"rendered":"https:\/\/www.identitycosmos.com\/?p=2338"},"modified":"2020-03-28T19:50:59","modified_gmt":"2020-03-28T17:50:59","slug":"zero-day-adv200006-how-to-use-gpos-to-mitigate-your-windows-risks","status":"publish","type":"post","link":"https:\/\/identitycosmos.com\/index.php\/2020\/03\/28\/zero-day-adv200006-how-to-use-gpos-to-mitigate-your-windows-risks\/","title":{"rendered":"Zero-day ADV200006 \u2013 How to use GPOs to mitigate your Windows risks"},"content":{"rendered":"

What is the problem?<\/h1>\n

As you may know, a new zero-day vulnerability (ADV200006) was raised by the security community. This vulnerability targets Windows systems with Adobe Acrobat installed on it, so as you can imagine, it is a very large impact. The problem occurs if the user opens some infected PDF documents or if the user uses thumbnails in the preview pane to visualize a PDF document.<\/p>\n

ADV200006 is using Adobe Type Manager<\/strong> which is managed by the atmfd.dll<\/strong> file. The atmfd.dll<\/strong> file is a kernel module provided by Windows. Using a specially infected document opened or view it in the Windows preview pane, an unauthenticated remote attacker may be able to execute additional code using this Adobe Type Manager Library with kernel privileges on a vulnerable system.<\/p>\n

If you are using the sandbox feature on Windows 10, the impact of the attack is limited \u2013 but if you are using Windows 10 without sandbox feature activated or a previous version of Windows on your workstations, it will be a huge risk for your organization.<\/p>\n

Unfortunately, Microsoft didn’t provided any fix (date is today 2020\/03\/28) for the moment \u2013 for sure it will \u2013 in the meantime you must deploy a workaround to change your workstations configuration and be able to wait for the Microsoft patch.<\/p>\n

You can read more details about ADV200006 using this Microsoft link: https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/adv200006<\/a><\/p>\n

How to mitigate this in a corporate environment?<\/h1>\n

You can use different mitigation methods, but there are existing some variations depending which Windows versions you are using on your corporate network. So, I choose to describe a mitigation method which will work on your different operating systems from Vista to 10.<\/p>\n

Create the first GPO with the user part of the mitigation settings
\n<\/strong><\/span><\/p>\n

Open your GPMC console.<\/p>\n

Right click on the “Group Policy Objects” folder and select the New option:<\/p>\n

\"\"<\/p>\n

For example, name your GPO “GPO_SECU_zeroD_ADV2000068_U-settings”.<\/p>\n

Right click on the new GPO and select the Edit\u2026<\/strong> option:<\/p>\n

\"\"<\/p>\n

Go to User Configuration | Policies | Administrative Templates | Windows Components<\/strong> \u2013 Select File Explorer<\/strong> section:<\/p>\n

\"\"<\/p>\n

Set to Enabled<\/strong> these two GPO options: “Turn off display of thumbnails and only display icons<\/strong>” + “Turn off the display of thumbnails and only display icons on network folders<\/strong>“:<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

So, at the end you should have this:<\/p>\n

\"\"<\/p>\n

Close you GPO and link this GPO with all the automation office user accounts in your organization (in a nutshell, all the user accounts which can be used on your workstation).<\/p>\n

Create the second GPO with the computer part of the mitigation settings
\n<\/strong><\/span><\/p>\n

Important<\/span>: you must use the GPMC tool from a workstation, not from a server, because the service we will want to control doesn’t have the same name on a Windows Server operating system.<\/p>\n

Open your GPMC console.<\/p>\n

Right click on the “Group Policy Objects” folder and select the New option:<\/p>\n

\"\"<\/p>\n

For example, name your GPO “GPO_SECU_zeroD_ADV2000068_C-settings”.<\/p>\n

Right click on the new GPO and select the Edit\u2026<\/strong> option:<\/p>\n

\"\"<\/p>\n

Go to Computer Configuration | Policies | Windows Settings | Security Settings<\/strong> \u2013 Select System Services<\/strong> section:<\/p>\n

\"\"<\/p>\n

Double click on the WebClient<\/strong> service in the right panel and select the following options:<\/p>\n

\"\"<\/p>\n

So, at the end you should have this:<\/p>\n

\"\"<\/p>\n

Close you GPO and link this GPO with all the workstation computer accounts in your organization.<\/p>\n

What is next?<\/h1>\n

Now you must follow and check when Microsoft will release a patch for this zero-day vulnerability. Have a look on this link: https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/adv200006<\/a> or follow the your habitual security gurus.<\/p>\n

When you will get the patch from Microsoft, and after you will apply it, you will be able to revert these two GPOs.<\/p>\n

Stay safe.<\/p>\n","protected":false},"excerpt":{"rendered":"

What is the problem? As you may know, a new zero-day vulnerability (ADV200006) was raised by the security community. This vulnerability targets Windows systems with Adobe Acrobat installed on it, so as you can imagine, it is a very large impact. The problem occurs if the user opens some infected PDF documents or if the […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,1],"tags":[22,107],"class_list":["post-2436","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-non-classe","tag-adv200006","tag-gpo"],"_links":{"self":[{"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/posts\/2436","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/comments?post=2436"}],"version-history":[{"count":0,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/posts\/2436\/revisions"}],"wp:attachment":[{"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/media?parent=2436"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/categories?post=2436"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/tags?post=2436"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}