Sampei.Nihira Posted April 16, 2020 Share Posted April 16, 2020 (edited) An interesting zero impact software for our Windows XP that can resolve the vulnerabilities 0-days in the absence of Microsoft updates: https://excubits.com/content/en/products_bouncer.html The vulnerabilities to be solved would be these: https://msfn.org/board/topic/181242-cve-2020-0674-and-ie8/ https://msfn.org/board/topic/181352-microsoft-warns-of-hackers-abusing-windows-adobe-library-zero-days/ Example of mitigation of the vulnerability in I.E.8: https://excubits.com/content/en/news.html Quote The Microsoft Internet Explorer Scripting Engine contains a memory corruption vulnerability. The vulnerability allows a remote attacker to execute arbitrary code. For more details see CERT VU#338824 and Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability. Using Excubits Bouncer you can easily mitigate the vulnerability by blacklisting: *>C:\Windows\*jscript.dll In the FAQ it is specified: Quote What about Bouncer and Windows XP/Vista We still have internal versions of Bouncer supporting Windows XP and Vista, but they do not support all the cool new features of Bouncer, because both operating systems are fairly old and do not support all the APIs we make use of in Bouncer now. But we can provide special versions for Windows XP and Vista. Please get in contact for more details. If the software is interesting we could ask for the Windows XP demo version,then write the configuration file. For the next vulnerability, another line should be blacklisted: *>C:\Windows\System32\atmfd.dll In this 3D the configuration files of some users: https://www.wilderssecurity.com/threads/bouncer-previously-tuersteher-light.359127/page-75#post-2910396 Edited April 16, 2020 by Sampei.Nihira Link to comment Share on other sites More sharing options...
RainyShadow Posted April 16, 2020 Share Posted April 16, 2020 So, this just disables Javascript and OpenType support and calls that a fix? I have a better one: pull out all LAN cables and all WiFi & WWAN adapters out of the PC - there, instant fix for almost all vulnerabilities 1 Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted April 16, 2020 Author Share Posted April 16, 2020 1 hour ago, RainyShadow said: So, this just disables Javascript and OpenType support and calls that a fix? I have a better one: pull out all LAN cables and all WiFi & WWAN adapters out of the PC - there, instant fix for almost all vulnerabilities In the absence of a Microsoft patch,other solutions may be considered. Mitja Kolsek and Didier Stevens also agree that: Quote Rename ATMFD.DLL. This is the most effective mitigation, because it eliminates the vulnerable code. On older Windows systems, this code is in the kernel driver called ATMFD.DLL, while on newer ones it's in a sandboxed user-space process called fontdrvhost.exe. It makes sense that Microsoft recommended renaming the former but not the latter, as remote code execution vulnerabilities in the kernel are critical, while running malicious code inside an AppContainer is far from "game over". Note that on Windows 8.1 and earlier, it is also possible to disable ATMFD via registry as described in the advisory, with the same end result as renaming ATMFD.DLL. Pros: Reliably blocks all remote and local attacks using these vulnerabilities. Cons: A non-trivial procedure for individual users; Prevents Adobe Type 1 PostScript fonts and OpenType fonts from working in applications employing the Windows-integrated support for Adobe Type 1 PostScript and OpenType; Requires a reboot. A 0-days vulnerability can be patched, not only by correcting the code, but by protecting the attack target (in the cases mentioned above 2 dll) of a possible remote exploit. Link to comment Share on other sites More sharing options...
Dibya Posted April 17, 2020 Share Posted April 17, 2020 Atmfd vulnerability fix is already made by me . I am trying to find someone willing to test it . Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted April 17, 2020 Author Share Posted April 17, 2020 3 hours ago, Dibya said: Atmfd vulnerability fix is already made by me . I am trying to find someone willing to test it . Hi,did you perform a code fix or a rename of ATMFD.dll? Link to comment Share on other sites More sharing options...
Dibya Posted April 21, 2020 Share Posted April 21, 2020 On 4/17/2020 at 4:51 PM, Sampei.Nihira said: Hi,did you perform a code fix or a rename of ATMFD.dll? Code fix Link to comment Share on other sites More sharing options...
FranceBB Posted April 21, 2020 Share Posted April 21, 2020 @Sampei.Nihira I'll send you a PM. Link to comment Share on other sites More sharing options...
RainyShadow Posted April 23, 2020 Share Posted April 23, 2020 On 4/17/2020 at 11:08 AM, Dibya said: Atmfd vulnerability fix is already made by me . I am trying to find someone willing to test it . Do you have any simple way to test? Like checking a web page, or opening a special crafted font in Windows Font Viewer, etc. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now