jaclaz Posted May 7, 2020 Share Posted May 7, 2020 (edited) 21 minutes ago, XPHomeSP3 said: P.S. One more thing, what does "the specific 3D" mean? It is "thread" written in a SMS or by a lazy person (I would think the latter, since it is not a SMS and no link to the specific thread where the other 2 personal mitigations are was given). jaclaz Edited May 7, 2020 by jaclaz Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted May 7, 2020 Share Posted May 7, 2020 19 minutes ago, jaclaz said: It is "thread" written in a SMS or by a lazy person (I would think the latter, since it is not a SMS and no link to the specific thread where the other 2 personal mitigations are was given). jaclaz The 3D to which I refer is written and therefore it is evident in the second post of this same 3D. Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted May 7, 2020 Share Posted May 7, 2020 45 minutes ago, XPHomeSP3 said: There's two reasons why: 1. I read on the 0patch.com blog entry for March 26, 2020, entitled "Micropatching Unknown 0days in Windows Type 1 Font Parsing", that renaming the ATMFD.DLL file reliably blocks all remote and local attacks using these vulnerabilities. The article specifically says, "This is the most effective mitigation, because it eliminates the vulnerable code." As I understand it, your suggestions, while certainly effective, only block remote attacks. Correct? 2. I didn't realize that Windows XP didn't behave the same way as Windows 7 and Windows 10 does when renaming a protected file such as ATMFD.DLL. In hindsight, I would not have done so if I had known this. Knock on wood, I'm not experiencing any problems so far as a result of my actions, but I still don't have the answer to my questions: 1. Am I still unprotected despite using the command prompt commands listed above to rename ATMFD.DLL in Windows XP? 2. How can I restore the ATMFD.DLL file to v.5.1.2.253 (the version it was before I renamed it and it subsequently auto-repaired)? Thank you. P.S. One more thing, what does "the specific 3D" mean? Disable the WebClient service = Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class. DisableATMFD registry key manually = Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases. 1) Yes. 2) I leave this question to who is more competent than me. Link to comment Share on other sites More sharing options...
XPHomeSP3 Posted May 7, 2020 Share Posted May 7, 2020 47 minutes ago, Sampei.Nihira said: DisableATMFD registry key manually = Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases. I'm not sure how many times I've read the 0patch blog post I referenced previously, but after re-reading it again I apparently glazed over this line: "Renaming ATMFD.DLL or disabling ATMFD via registry makes the vulnerability unreachable even for a local attacker who has ability to execute low-privileged arbitrary code on the computer." Personally, I'm not a fan of modifying the registry because I don't want to mistakenly cause serious damage. For me, renaming the ATMFD.DLL file seemed like a less risky choice to do and then undo if necessary. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now