Найдена уязвимость во всех Windows. ATMFD.DLL

 

Решение проблемы:

Отключить панель предварительного просмотра и панель сведений в проводнике Windows

Отключение панелей предварительного просмотра и сведений в проводнике Windows предотвращает автоматическое отображение шрифтов OTF в проводнике Windows. Хотя это предотвращает просмотр вредоносных файлов в проводнике Windows, это не мешает локальному аутентифицированному пользователю запускать специально созданную программу для использования этой уязвимости. Чтобы отключить эти панели в Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 и Windows 8.1, выполните следующие действия:



 

  1. Open Windows Explorer, click Organize, and then click Layout.
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Organize, and then click Folder and search options.
  4. Click the View tab.
  5. Under Advanced settings, check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

For Windows Server 2016, Windows 10, and Windows Server 2019, perform the following steps:

  1. Open Windows Explorer, click the View tab.
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Options, and then click Change folder and search options.
  4. Click the View tab.
  5. Under Advanced settings, check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Impact of workaround.

Проводник Windows не будет автоматически отображать шрифты OTF.

How to undo the workaround.

To re-enable the Preview and Details panes in Windows Explorer for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1:

  1. Open Windows Explorer, click Organize, and then click Layout.
  2. Select both the Details pane and Preview pane menu options.
  3. Click Organize, and then click Folder and search options.
  4. Click the View tab.
  5. Under Advanced settings, clear the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

For Windows Server 2016, Windows 10, and Windows Server 2019:

  1. Open Windows Explorer, click the View tab.
  2. Select both the Details pane and Preview pane menu options.
  3. Click Options, and then click Change folder and search options.
  4. Click the View tab.
  5. Under Advanced settings, clear the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Disable the WebClient service

Отключение службы WebClient помогает защитить уязвимые системы от попыток использовать эту уязвимость, блокируя наиболее вероятный вектор удаленной атаки через клиентскую службу Web Distributed Authoring and Versioning (WebDAV). После применения этого обходного пути удаленные злоумышленники, которые успешно воспользуются этой уязвимостью, все еще могут заставить систему запускать программы, расположенные на компьютере целевого пользователя или в локальной сети (LAN), но пользователям будет предложено подтвердить их перед открытием произвольных программ из Интернет.

To disable the WebClient Service, perform the following steps:

  1. Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
  2. Right-click WebClient service and select Properties.
  3. Change the Startup type to Disabled. If the service is running, click Stop.
  4. Click OK and exit the management application.

Impact of workaround.

Когда служба WebClient отключена, запросы Web Distributed Authoring and Versioning (WebDAV) не передаются. Кроме того, любые службы, которые явно зависят от службы WebClient, не запустятся, и в системном журнале будет зарегистрировано сообщение об ошибке. Например, общие ресурсы WebDAV будут недоступны с клиентского компьютера.

How to undo the workaround.

To re-enable the WebClient Service, perform the following steps:

  1. Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
  2. Right-click WebClient service and select Properties.
  3. Change the Startup type to Automatic. If the service is not running, click Start.
  4. Click OK and exit the management application.

Rename ATMFD.DLL

Обратите внимание: ATMFD.DLL не присутствует в установках Windows 10, начиная с Windows 10, версия 1709. В более новых версиях эта DLL отсутствует. Посмотрите раздел смягчения для получения дополнительной информации.

For 32-bit systems:

  1. Enter the following commands at an administrative command prompt:
cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F) 
rename atmfd.dll x-atmfd.dll
  1. Restart the system.

For 64-bit systems:

  1. Enter the following commands at an administrative command prompt:
	cd "%windir%\system32"
	takeown.exe /f atmfd.dll
	icacls.exe atmfd.dll /save atmfd.dll.acl
	icacls.exe atmfd.dll /grant Administrators:(F) 
	rename atmfd.dll x-atmfd.dll
	cd "%windir%\syswow64"
	takeown.exe /f atmfd.dll
	icacls.exe atmfd.dll /save atmfd.dll.acl
	icacls.exe atmfd.dll /grant Administrators:(F) 
	rename atmfd.dll x-atmfd.dll
  1. Restart the system.

Optional procedure for Windows 8.1 operating systems and below (disable ATMFD):

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe.

Method 1 (manually edit the system registry):

  1. Run regedit.exe as Administrator.
  2. In Registry Editor, navigate to the following sub key (or create it) and set its DWORD value to 1:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD, DWORD = 1
  3. Close Registry Editor and restart the system.

Method 2 (use a managed deployment script):

  1. Create a text file named ATMFD-disable.reg that contains the following text:
	Windows Registry Editor Version 5.00
	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
	"DisableATMFD"=dword:00000001
  1. Run regedit.exe.
  2. In Registry Editor, click the File menu and then click Import.
  3. Navigate to and select the ATMFD-disable.reg file that you created in the first step. (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog’s file extension parameters to All Files).
  4. Click Open and then click OK to close Registry Editor.

Impact of workaround

Applications that rely on embedded font technology will not display properly. Disabling ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.

How to undo the workaround

For 32-bit systems:

  1. Enter the following commands at an administrative command prompt:
	cd "%windir%\system32"
	rename x-atmfd.dll atmfd.dll
	icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"
	icacls.exe . /restore atmfd.dll.acl
  1. Restart the system.

For 64-bit systems:

  1. Enter the following commands at an administrative command prompt:
	cd "%windir%\system32"
	rename x-atmfd.dll atmfd.dll
	icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"
	icacls.exe . /restore atmfd.dll.acl
	cd "%windir%\syswow64"
	rename x-atmfd.dll atmfd.dll
	icacls.exe atmfd.dll /setowner "NT SERVICE\TrustedInstaller"
	icacls.exe . /restore atmfd.dll.acl
  1. Restart the system.

Optional procedure for Windows 8.1 operating systems and below (enable ATMFD):

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe.

Method 1 (manually edit the system registry):

  1. Run regedit.exe as Administrator.
  2. In Registry Editor, navigate to the following sub key and set its DWORD value to 0:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD, DWORD = 0
  3. Close Registry Editor and restart the system.

Method 2 (use a managed deployment script):

  1. Create a text file named ATMFD-enable.reg that contains the following text:
	Windows Registry Editor Version 5.00
	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
	"DisableATMFD"=dword:00000000
  1. Run regedit.exe.
  2. In Registry Editor, click the File menu and then click Import.
  3. Navigate to and select the ATMFD-enable.reg file that you created in the first step. (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog’s file extension parameters to All Files).
  4. Click Open and then click OK to close Registry Editor.
  1. 5
  2. 4
  3. 3
  4. 2
  5. 1
(0 голосов, в среднем: 0 из 5)

Комментарии:

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *