RE: WMF Vulnerability

From: "John T \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
Date: Thu, 5 Jan 2006 10:02:03 -0800
Andy Haigh

And everyone has been ignoring it since.

John T
eServices For You


> -----Original Message-----
> From: JosephK [mailto:josephk@xxxxxxxxx]
> Sent: Thursday, January 05, 2006 9:43 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
> 
> http://www.ISAserver.org
> 
> I've noticed that my spell checker stops at the subject line of this
> thread.
> Who spelled Vunrability???  Damn you guys for making me hit cancel first
> :)
> 
> Joseph
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, January 05, 2006 7:34 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
> 
> http://www.ISAserver.org
> 
> Hi Joseph,
> 
> Keeping my eyes open for it.
> 
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
> 
> 
> > -----Original Message-----
> > From: JosephK [mailto:josephk@xxxxxxxxx]
> > Sent: Thursday, January 05, 2006 12:52 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vunrability
> >
> > http://www.ISAserver.org
> >
> > Hi Thomas,
> >
> > I here that the next round of this type of attack may indeed be *.gif
> > or some other variant.
> >
> > Joseph
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Wednesday, January 04, 2006 10:33 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vunrability
> >
> > http://www.ISAserver.org
> >
> > Hi Joseph,
> >
> > Yes, I knew what .wmf meant, was just have some fun there :)
> >
> > You could change the application that opens the .wmf file, but what if
> > they change the file extension to .doc or .xls or .gif? I think you
> > still end up getting whacked.
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: JosephK [mailto:josephk@xxxxxxxxx]
> > > Sent: Wednesday, January 04, 2006 12:03 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: WMF Vunrability
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi Thomas,
> > >
> > > WMF -- Um, this is a family list! But, I could also think of
> > > a few more
> > > things.  Google desktop indexing has a flaw...If some
> > > unsuspecting user
> > > sets it up incorrectly or some goof uses it on a corporate network,
> > > then, the indexing process can show up on the internet!  Now that's
> > > why I don't use trash like that.
> > >
> > > I'm sure you knew that *.wmf was for windows meta file.
> > Changing the
> > > program that opens that to notepad actually works. At least
> > in my test
> > > environment.
> > >
> > > Thank you,
> > > Joseph
> > >
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: Wednesday, January 04, 2006 10:03 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: WMF Vunrability
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi Jospeh,
> > >
> > > I read that even if you use Google indexing service on your
> > > computer, it
> > > will whack you when the WMF is accessed.
> > >
> > > BTW, what does WMF stand for? I can think of a few things
> > > right now :))
> > >
> > > Tom
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > **Who is John Galt?**
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: JosephK [mailto:josephk@xxxxxxxxx]
> > > > Sent: Wednesday, January 04, 2006 11:53 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: WMF Vunrability
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Another minor way to fix this from the desktop point of view
> > > > and yes it
> > > > is a pain in the ass. Change the program that opens up *.wmf (fax
> > > > viewer) to use
> > > > notepad instead.  Not very feasible though with a real large shop.
> > > >
> > > > Joseph
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Edgardo Balansay [mailto:balansay@xxxxxxxxx]
> > > > Sent: Wednesday, January 04, 2006 9:49 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: WMF Vunrability
> > > >
> > > > http://www.ISAserver.org
> > > > I have been thinking similar to "Thor" in that, "... have you
> > > > found the
> > > > application/x-msmetafile mime block is all you have to do?"
> > > > As .wmf file type is listed as
> > > > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/mim
> > > > etypes.msp
> > > > x
> > > >
> > > > However Jim Harrison, mentions, "...use pattern matching in
> > > > the response
> > > > stream.  Request and response headers are ok unless the
> > "bad place"
> > > > decides to spoof them."
> > > >
> > > > So application/x-msmetafile mime block does not completely
> > > > block the wmf
> > > > type of files? Is what Jim is saying is that the "bad
> > > place" may spoof
> > > > the headers, and Windows will continue to open the file with the
> > > > vulnerable application/dll?
> > > >
> > > > But doesn't ISA Application Filter and therefore able to block the
> > > > specific mime type for *.wmf regardless of headers?  Much
> > > like how it
> > > > blocks executables regardless of extension?
> > > >
> > > > Just attempting to add to the discussion, thanks!
> > > > Edgardo
> > > >
> > > > (BTW: above quotes are taken from the "OT - texas hold em" thread)
> > > > ------------------------------------------------------ List
> > > Archives:
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server
> > > > Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server
> > > > FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------ Visit
> > > > TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------ You
> > > > are currently
> > > > subscribed to this ISAserver.org Discussion List as:
> > > josephk@xxxxxxxxx
> > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> > > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > josephk@xxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > josephk@xxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> josephk@xxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
RE: WMF Vulnerability

Other related posts:
