luweitest Posted April 14, 2020 Posted April 14, 2020 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006#ID0EMGAC The above link does not mention Windows XP is affected, but say vaguely as "before Windows 10".
RainyShadow Posted April 14, 2020 Posted April 14, 2020 Is there a proper fix released for any version of Windows? (i'm not asking about some half-assed workaround that just disables/deletes the affected .DLL and file associations)
Guest Posted April 15, 2020 Posted April 15, 2020 (edited) Yesterday's Microsoft patch resolved the CVE-2020-0938 and CVE-2020-1020 vulnerabilities for supported OSs. For W.7 there is 0Patch. For OS prior to W.7 only the mitigations described by Microsoft + my personal solutions. Edited April 15, 2020 by Sampei.Nihira
luweitest Posted April 18, 2020 Author Posted April 18, 2020 OK then I applied the registry patch according to MS to "completely mitigates the issue though can introduce usability issues in rare cases". Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "DisableATMFD"=dword:00000001 No issues observed till now (3 days).
XPHomeSP3 Posted April 27, 2020 Posted April 27, 2020 I went the route of trying to rename the ATMFD.DLL file via a command prompt as per Microsoft's instructions. I chose this option because it has the added benefit reliably blocking all remote and local attacks using the vulnerabilities in question. However, XP tells me that the commands are not recognized when trying to implement the change. Here are the commands I used: cd "%windir%\system32" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll Am I doing something wrong or does this method not work on XP due to trying to assign ownership of the file?
dencorso Posted April 27, 2020 Posted April 27, 2020 4 hours ago, XPHomeSP3 said: However, XP tells me that the commands are not recognized when trying to implement the change. Inexistent commands cannot be run.
EdSon Posted April 27, 2020 Posted April 27, 2020 (edited) On WinXP is more simply: CD %WinDir%\System32 Ren atmfd.dll x-atmfd.dll BUT, atmfd.dll auto-restore C:\WINDOWS\system32>dir *atmfd.dll 14/04/2008 07:00 285.696 atmfd.dll 1 archivos 285.696 bytes 0 dirs 7.849.308.160 bytes libres C:\WINDOWS\system32>ren atmfd.dll x-atmfd.dll C:\WINDOWS\system32>dir *atmfd.dll 14/04/2008 07:00 285.696 atmfd.dll 14/04/2008 07:00 285.696 x-atmfd.dll 2 archivos 571.392 bytes 0 dirs 7.849.308.160 bytes libres This working in Windows XP, but display Alert Dialog cd %windir%\system32 ren atmfd.dll x-atmfd.dll & ren dllcache\atmfd.dll x-atmfd.dll Edited April 27, 2020 by EdSon
XPHomeSP3 Posted April 28, 2020 Posted April 28, 2020 7 hours ago, EdSon said: On WinXP is more simply: CD %WinDir%\System32 Ren atmfd.dll x-atmfd.dll BUT, atmfd.dll auto-restore C:\WINDOWS\system32>dir *atmfd.dll 14/04/2008 07:00 285.696 atmfd.dll 1 archivos 285.696 bytes 0 dirs 7.849.308.160 bytes libres C:\WINDOWS\system32>ren atmfd.dll x-atmfd.dll C:\WINDOWS\system32>dir *atmfd.dll 14/04/2008 07:00 285.696 atmfd.dll 14/04/2008 07:00 285.696 x-atmfd.dll 2 archivos 571.392 bytes 0 dirs 7.849.308.160 bytes libres This working in Windows XP, but display Alert Dialog cd %windir%\system32 ren atmfd.dll x-atmfd.dll & ren dllcache\atmfd.dll x-atmfd.dll First of all, somewhat similar to this, I tried to manually rename the atmfd.dll file by right clicking on it and I ended up with two files named atmfd,dll and x-atmdf.dll and now I cannot delete either one. Why does atmfd.dll auto-restore and why can I not manually delete x-atmfd.dll ? Forgive my further ignorance here, but I assume ren is the abbreviation for rename, correct? Also, I do not understand the second part of the last line above which reads ren dllcache\atmfd.dll x-atmfd.dll Could you please clarify this for me? What does this command mean and what does attempt it to accomplish?
EdSon Posted April 28, 2020 Posted April 28, 2020 dllcache directory is like a windows original backup system files. SFC /ScanNow command check actual Windows system files using dllcache original files and restore if is necesary. The WinLogon.exe:sfc_os.dll System process continous checking changes on Windows System Files (Windows File Protection), this detect/not-found C:\Windows\System32\atmfd.dll file and check backup C:\Windows\System32\DllCache\atmfd.dll for integrity and restore the atmfd.dll file Delete x-atmfd.dll: del C:\Windows\System32\x-atmfd.dll Change directory and rename atmfd.dll and dllcache\atmfd.dll: cd %windir%\system32 ren atmfd.dll x-atmfd.dll & ren dllcache\atmfd.dll x-atmfd.dll Windows File Protection: https://support.microsoft.com/en-us/help/222193/description-of-the-windows-file-protection-feature 1
XPHomeSP3 Posted April 28, 2020 Posted April 28, 2020 Thank you for the clarification and explanation, EdSon. So, if I wanted to undo the renaming of the atmfd.dll file to x-atmfd.dll (i.e., restore the original atmfd.dll file), would I then use the following commands: cd %windir%\system32 ren x-atmfd.dll atmfd.dll & ren dllcache\x-atmfd.dll atmfd.dll
XPHomeSP3 Posted April 30, 2020 Posted April 30, 2020 Oh. Oh. When I originally tried to re-name the atmfd.dll file by right clicking on it and "changing it", when atmfd,dll auto-restored, it restored with an older version of the file: renamed atmfd.dll file - v5.1.2.253 (291 kb) auto-restored atmfd.dll file - v5.1.2.226 (279 kb) When I then try to use the commands you have listed in the above post, I keep getting "A duplicate file name exists, or the file cannot be found" message. How do I fix this and have the atmfd.dll - v5.1.2.253 (291 kb) file restored to system32 instead of the older atmfd.dll - v5.1.2.226 (279 kb) file? I assume the atmfd.dll file must have had it's version number changed due to a Windows update at some point, yes? Your expert guidance would be greatly appreciated.
XPHomeSP3 Posted May 6, 2020 Posted May 6, 2020 I'm really sorry to keep asking about this, but I just do not understand what is happening as a result of renaming the ATMFD.DLL file though the command prompt commands given above. Specifically, if the ATMFD.DLL file is renamed to X-ATMFD.DLL but then gets auto restored because it is a protected Windows file, doesn't this mean you are still not protected from the CVE-2020-0938 and CVE-2020-1020 vulnerabilities since ATMFD.DLL is still present afterwards? Forgive my ignorance, but I would really like to understand this. Thank you.
Guest Posted May 7, 2020 Posted May 7, 2020 I don't understand why you didn't follow the easy way recommended by Microsoft. You can apply 2 Workarounds without having any problems, I personally have applied: 1) Disable the WebClient service. 2) DisableATMFD registry key manually. I also applied my other 2 personal mitigations listed in the specific 3D. So in total 4, and I have no problem.
XPHomeSP3 Posted May 7, 2020 Posted May 7, 2020 (edited) 12 hours ago, Sampei.Nihira said: I don't understand why you didn't follow the easy way recommended by Microsoft. You can apply 2 Workarounds without having any problems, I personally have applied: 1) Disable the WebClient service. 2) DisableATMFD registry key manually. I also applied my other 2 personal mitigations listed in the specific 3D. So in total 4, and I have no problem. There's two reasons why: 1. I read on the 0patch.com blog entry for March 26, 2020, entitled "Micropatching Unknown 0days in Windows Type 1 Font Parsing", that renaming the ATMFD.DLL file reliably blocks all remote and local attacks using these vulnerabilities. The article specifically says, "This is the most effective mitigation, because it eliminates the vulnerable code." As I understand it, your suggestions, while certainly effective, only block remote attacks. Correct? 2. I didn't realize that Windows XP didn't behave the same way as Windows 7 and Windows 10 does when renaming a protected file such as ATMFD.DLL. In hindsight, I would not have done so if I had known this. Knock on wood, I'm not experiencing any problems so far as a result of my actions, but I still don't have the answer to my questions: 1. Am I still unprotected despite using the command prompt commands listed above to rename ATMFD.DLL in Windows XP? 2. How can I restore the ATMFD.DLL file to v.5.1.2.253 (the version it was before I renamed it and it subsequently auto-repaired)? Thank you. P.S. One more thing, what does "the specific 3D" mean? Edited May 7, 2020 by XPHomeSP3
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now