REVIEWED by Sophos
Windows has a zero-day that won’t be patched for weeks
Well another day another zero day vulnerability. Today I am looking at how to best create a vulnerability check given information in a CVE and a Microsoft Notification. In this case we are looking at a Windows Zero day that Sophos Naked Security wrote about in late March. https://nakedsecurity.sophos.com/2020/03/25/windows-has-a-zero-day-that-wont-be-patched-for-weeks/
The article links to a Microsoft Security Advisory page that identifies the Type 1 Font Parsing Remote Code Execution vulnerability and provides a list of vulnerable operating systems and a mitigation that can be taken with a registry key change.
The objective is to provide a query that can be run on all windows systems and report if the OS is vulnerable and if the Mitigation is Enabled or Not. The Ideal solution provides a template that we can use for other similar scenarios so we can quickly re-purpose this query for other threats.
We want to do this with a single select statement and need to check two very different things, the OS version/build info and the presence or absence of a registry key.
SQL provides lots of different ways of doing just that. Below is the one I settled on.
We want to ensure we get a response from the query even if the device is not vulnerable so we will need a conditional statement, A Case statement works nicely for that.
/* probably not the most efficient way to do this */
SELECT
/* Check if the OS is listed as vulnerable or not */
CASE (SELECT '1' FROM os_version WHERE
(major = '10' AND build = '14393') OR /* version 1607 */
(major = '10' AND build = '16299') OR /* version 1709 */
(major = '10' AND build = '17134') OR /* version 1803 */
(major = '10' AND build = '17763') OR /* version 1809 */
(major = '10' AND build = '18362') OR /* version 1903 */
(major = '10' AND build = '18363') OR /* version 1909 */
(major = '6' AND minor = '1' ) OR /* Windows 7 */
(major = '6' AND minor = '3' ) OR /* Windows 8.1 */
(major = '6' AND minor = '1' ) OR /* Windows Server 2008 */
(major = '6' AND minor = '2' ) OR /* Windows Server 2012 */
(major = '10' AND build = '14393') OR /* Windows Server 2016 */
(major = '10' AND build = '16299') OR /* Windows Server 2016 */
(major = '10' AND build = '17763') /* Windows Server 2019 */
)
WHEN '1' THEN 'TRUE'
ELSE 'FALSE'
END 'Vulnerable OS',
/* Check if the mitigation is set or NOT */
CASE (SELECT '1' FROM registry WHERE
key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows' AND
name LIKE '%DisableATMFD%' AND
data = '1'
)
WHEN '1' THEN 'ENABLED'
ELSE 'Not SET'
END 'Mitigation - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD 1'
;
