Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


luweitest

Should I apply the critical fix?

Recommended Posts


Is there a proper fix released for any version of Windows?

(i'm not asking about some half-assed workaround that just disables/deletes the affected .DLL and file associations)

Share this post


Link to post
Share on other sites
Posted (edited)

Yesterday's Microsoft patch resolved the CVE-2020-0938 and CVE-2020-1020 vulnerabilities for supported OSs.

For W.7 there is 0Patch.

For OS prior to W.7 only the mitigations described by Microsoft + my personal solutions.

Edited by Sampei.Nihira
  • Like 1

Share this post


Link to post
Share on other sites

OK then I applied the registry patch according to MS to "completely mitigates the issue though can introduce usability issues in rare cases".

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DisableATMFD"=dword:00000001

No issues observed till now (3 days).

Share this post


Link to post
Share on other sites

I went the route of trying to rename the ATMFD.DLL file via a command prompt as per Microsoft's instructions.

I chose this option because it has the added benefit reliably blocking all remote and local attacks using the vulnerabilities in question.

However, XP tells me that the commands are not recognized when trying to implement the change.

Here are the commands I used:

cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

Am I doing something wrong or does this method not work on XP due to trying to assign ownership of the file?

Share this post


Link to post
Share on other sites
4 hours ago, XPHomeSP3 said:

However, XP tells me that the commands are not recognized when trying to implement the change.

Inexistent commands cannot be run. :yes:

Share this post


Link to post
Share on other sites
Posted (edited)

On WinXP is more simply:

CD %WinDir%\System32
Ren atmfd.dll x-atmfd.dll

BUT, atmfd.dll auto-restore :o

C:\WINDOWS\system32>dir *atmfd.dll

14/04/2008  07:00           285.696 atmfd.dll
               1 archivos        285.696 bytes
               0 dirs   7.849.308.160 bytes libres

C:\WINDOWS\system32>ren atmfd.dll x-atmfd.dll

C:\WINDOWS\system32>dir *atmfd.dll

14/04/2008  07:00           285.696 atmfd.dll
14/04/2008  07:00           285.696 x-atmfd.dll
               2 archivos        571.392 bytes
               0 dirs   7.849.308.160 bytes libres

This working in Windows XP, but display Alert Dialog

cd %windir%\system32
ren atmfd.dll x-atmfd.dll & ren dllcache\atmfd.dll x-atmfd.dll
Edited by EdSon

Share this post


Link to post
Share on other sites
7 hours ago, EdSon said:

On WinXP is more simply:


CD %WinDir%\System32
Ren atmfd.dll x-atmfd.dll

BUT, atmfd.dll auto-restore :o

 


C:\WINDOWS\system32>dir *atmfd.dll

14/04/2008  07:00           285.696 atmfd.dll
               1 archivos        285.696 bytes
               0 dirs   7.849.308.160 bytes libres

C:\WINDOWS\system32>ren atmfd.dll x-atmfd.dll

C:\WINDOWS\system32>dir *atmfd.dll

14/04/2008  07:00           285.696 atmfd.dll
14/04/2008  07:00           285.696 x-atmfd.dll
               2 archivos        571.392 bytes
               0 dirs   7.849.308.160 bytes libres

This working in Windows XP, but display Alert Dialog


cd %windir%\system32
ren atmfd.dll x-atmfd.dll & ren dllcache\atmfd.dll x-atmfd.dll

First of all, somewhat similar to this, I tried to manually rename the atmfd.dll file by right clicking on it and I ended up with two files named atmfd,dll and x-atmdf.dll and now I cannot delete either one. 

Why does atmfd.dll auto-restore and why can I not manually delete x-atmfd.dll ?

Forgive my further ignorance here, but I assume ren is the abbreviation for rename, correct?

Also, I do not understand the second part of the last line above which reads ren dllcache\atmfd.dll x-atmfd.dll

Could you please clarify this for me?  What does this command mean and what does attempt it to accomplish?

Share this post


Link to post
Share on other sites

dllcache directory is like a windows original backup system files. SFC /ScanNow command check actual Windows system files using dllcache original files and restore if is necesary.

The WinLogon.exe:sfc_os.dll System process continous checking changes on Windows System Files (Windows File Protection), this detect/not-found C:\Windows\System32\atmfd.dll file and check backup C:\Windows\System32\DllCache\atmfd.dll for integrity and restore the atmfd.dll  file

Delete x-atmfd.dll:

del C:\Windows\System32\x-atmfd.dll

Change directory and rename atmfd.dll and dllcache\atmfd.dll:

cd %windir%\system32
ren atmfd.dll x-atmfd.dll & ren dllcache\atmfd.dll x-atmfd.dll

Windows File Protection: https://support.microsoft.com/en-us/help/222193/description-of-the-windows-file-protection-feature

  • Like 1

Share this post


Link to post
Share on other sites

Thank you for the clarification and explanation, EdSon.

So, if I wanted to undo the renaming of the atmfd.dll file to x-atmfd.dll (i.e., restore the original atmfd.dll file), would I then use the following commands:

cd %windir%\system32

ren x-atmfd.dll atmfd.dll & ren dllcache\x-atmfd.dll atmfd.dll

Share this post


Link to post
Share on other sites

Oh. Oh.

When I originally tried to re-name the atmfd.dll file by right clicking on it and "changing it",
when atmfd,dll auto-restored, it restored with an older version of the file:

renamed atmfd.dll file - v5.1.2.253 (291 kb)
auto-restored atmfd.dll file - v5.1.2.226 (279 kb)

When I then try to use the commands you have listed in the above post, I keep getting "A duplicate file name exists, or the file cannot be found" message.

How do I fix this and have the atmfd.dll - v5.1.2.253 (291 kb) file restored to system32 instead of the older atmfd.dll - v5.1.2.226 (279 kb) file?

I assume the atmfd.dll file must have had it's version number changed due to a Windows update at some point, yes?

Your expert guidance would be greatly appreciated.

Share this post


Link to post
Share on other sites

I'm really sorry to keep asking about this, but I just do not understand what is happening as a result of renaming the ATMFD.DLL file though the command prompt commands given above.

Specifically, if the ATMFD.DLL file is renamed to X-ATMFD.DLL but then gets auto restored because it is a protected Windows file, doesn't this mean you are still not protected from the CVE-2020-0938 and CVE-2020-1020 vulnerabilities since ATMFD.DLL is still present afterwards?

Forgive my ignorance, but I would really like to understand this.

Thank you.

Share this post


Link to post
Share on other sites

I don't understand why you didn't follow the easy way recommended by Microsoft.
You can apply 2 Workarounds without having any problems, I personally have applied:

1) Disable the WebClient service.
2) DisableATMFD registry key manually.

I also applied my other 2 personal mitigations listed in the specific 3D.
So in total 4, and I have no problem.

Share this post


Link to post
Share on other sites
Posted (edited)
12 hours ago, Sampei.Nihira said:

I don't understand why you didn't follow the easy way recommended by Microsoft.
You can apply 2 Workarounds without having any problems, I personally have applied:

1) Disable the WebClient service.
2) DisableATMFD registry key manually.

I also applied my other 2 personal mitigations listed in the specific 3D.
So in total 4, and I have no problem.

There's two reasons why:

1.  I read on the 0patch.com blog entry for March 26, 2020, entitled "Micropatching Unknown 0days in Windows Type 1 Font Parsing", that renaming the ATMFD.DLL file reliably blocks all remote and local attacks using these vulnerabilities.  The article specifically says, "This is the most effective mitigation, because it eliminates the vulnerable code."  As I understand it, your suggestions, while certainly effective, only block remote attacks.  Correct?
 
2.  I didn't realize that Windows XP didn't behave the same way as Windows 7 and Windows 10 does when renaming a protected file such as ATMFD.DLL.  In hindsight, I would not have done so if I had known this.

Knock on wood, I'm not experiencing any problems so far as a result of my actions, but I still don't have the answer to my questions:

1.  Am I still unprotected despite using the command prompt commands listed above to rename ATMFD.DLL in  Windows XP?

2.  How can I restore the ATMFD.DLL file to v.5.1.2.253 (the version it was before I renamed it and it subsequently auto-repaired)?

Thank you.

P.S.  One more thing, what does "the specific 3D" mean?

 

Edited by XPHomeSP3

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...