Zero-day ADV200006 – How to use GPOs to mitigate your Windows risks

What is the problem?

As you may know, a new zero-day vulnerability (ADV200006) was raised by the security community. This vulnerability targets Windows systems with Adobe Acrobat installed on it, so as you can imagine, it is a very large impact. The problem occurs if the user opens some infected PDF documents or if the user uses thumbnails in the preview pane to visualize a PDF document.

ADV200006 is using Adobe Type Manager which is managed by the atmfd.dll file. The atmfd.dll file is a kernel module provided by Windows. Using a specially infected document opened or view it in the Windows preview pane, an unauthenticated remote attacker may be able to execute additional code using this Adobe Type Manager Library with kernel privileges on a vulnerable system.

If you are using the sandbox feature on Windows 10, the impact of the attack is limited – but if you are using Windows 10 without sandbox feature activated or a previous version of Windows on your workstations, it will be a huge risk for your organization.

Unfortunately, Microsoft didn’t provided any fix (date is today 2020/03/28) for the moment – for sure it will – in the meantime you must deploy a workaround to change your workstations configuration and be able to wait for the Microsoft patch.

You can read more details about ADV200006 using this Microsoft link: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006

How to mitigate this in a corporate environment?

You can use different mitigation methods, but there are existing some variations depending which Windows versions you are using on your corporate network. So, I choose to describe a mitigation method which will work on your different operating systems from Vista to 10.

Create the first GPO with the user part of the mitigation settings

Open your GPMC console.

Right click on the « Group Policy Objects » folder and select the New option:

For example, name your GPO « GPO_SECU_zeroD_ADV2000068_U-settings ».

Right click on the new GPO and select the Edit… option:

Go to User Configuration | Policies | Administrative Templates | Windows Components – Select File Explorer section:

Set to Enabled these two GPO options: « Turn off display of thumbnails and only display icons » + « Turn off the display of thumbnails and only display icons on network folders« :

So, at the end you should have this:

Close you GPO and link this GPO with all the automation office user accounts in your organization (in a nutshell, all the user accounts which can be used on your workstation).

Create the second GPO with the computer part of the mitigation settings

Important: you must use the GPMC tool from a workstation, not from a server, because the service we will want to control doesn’t have the same name on a Windows Server operating system.

Open your GPMC console.

Right click on the « Group Policy Objects » folder and select the New option:

For example, name your GPO « GPO_SECU_zeroD_ADV2000068_C-settings ».

Right click on the new GPO and select the Edit… option:

Go to Computer Configuration | Policies | Windows Settings | Security Settings – Select System Services section:

Double click on the WebClient service in the right panel and select the following options:

So, at the end you should have this:

Close you GPO and link this GPO with all the workstation computer accounts in your organization.

What is next?

Now you must follow and check when Microsoft will release a patch for this zero-day vulnerability. Have a look on this link: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006 or follow the your habitual security gurus.

When you will get the patch from Microsoft, and after you will apply it, you will be able to revert these two GPOs.

Stay safe.