F-Secure Application Control helps mitigating against new unpatched vulnerabilities

Last week Microsoft issued a new Security Advisor that targets almost every Windows version. The detected vulnerability in their font parsing that can be used to allow remote code execution. Microsoft will issue a fix for affected operating systems.

In the meantime Microsoft suggests a number of workarounds in order to temporarily mitigate the threat until a patch is made available. One of these was to prevent the loading of an operating system binary, ATMFD.DLL. Their recommendation was to rename the binary, and to do this administrator rights are needed on each computer.

F-Secure Application Control is a module included in premium versions of F-Secure PSB and in F-Secure Client Security. With Application Control, it is possible for the organization’s administrator to create a rule to prevent this binary being loaded, and to share that rule to all of their computers, automatically helping to mitigate the problem.

To create the rule, the admin needs to make a few small modifications to the "profile" used by the F-Secure software. In the following example, we will use Protection Service for Business, but similar actions can be made with the Business Suite software.

1. Select the profile in the PSB portal to edit.
2. Choose "Application Control" on the left side menu
3. Add an exclusion
4. Rule name (1) – this is freeform text, but we advise naming it so it relates to the particular advisory, so when you come to review rules it is quite obvious what it is for.
5. Event (2) – Choose "Module load”, as this is a DLL (library module) that we want to work with
6. Action (3) – Initially, choose "Allow and monitor”, as this will report to the portal if something tries to load the module, but will not block the action. Very handy for testing rules!
7. On the second row of the rule creation, select an attribute (4) from the drop down menu. In this case we want to select "Target file name”.
8. Select a condition (5). In this case, we want to select "contains”
9. In the final box (6) on the second row, enter atmfd.dll
10. When all the fields have been set, "Save and Publish” (7). This rule is then sent to all computers that are using this profile.

After this, any computer attempting to load this module will report to the portal. When the administrator is happy the rule is detecting correctly, and not interfering with business critical applications, they can edit the rule so that the action becomes "Block”.