Here is the patch http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx -----Original Message----- From: Troy Radtke [mailto:TRadtke@xxxxxxxxxxxx] Sent: Thursday, January 05, 2006 2:36 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vulnerability http://www.ISAserver.org Spelling errors in some of the comments Jim, but otherwise keep up the good fight! ' - presents a final status to the user based on teh trreturn value from DoArray() ' 1. accesses the ISA COM and validates the correct context fro this script -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thursday, January 05, 2006 1:27 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vulnerability http://www.ISAserver.org Ok - found and fixed the bug - twere a logic error in publishing rules. Also "hardened" the script in a few places. http://isatools.org/block_wmf.zip Note that it only acts on the array policies for now. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Thursday, January 05, 2006 10:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vulnerability http://www.ISAserver.org Andy Haigh And everyone has been ignoring it since. John T eServices For You > -----Original Message----- > From: JosephK [mailto:josephk@xxxxxxxxx] > Sent: Thursday, January 05, 2006 9:43 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: WMF Vunrability > > http://www.ISAserver.org > > I've noticed that my spell checker stops at the subject line of this > thread. > Who spelled Vunrability??? Damn you guys for making me hit cancel > first > :) > > Joseph > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Thursday, January 05, 2006 7:34 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: WMF Vunrability > > http://www.ISAserver.org > > Hi Joseph, > > Keeping my eyes open for it. > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: JosephK [mailto:josephk@xxxxxxxxx] > > Sent: Thursday, January 05, 2006 12:52 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: WMF Vunrability > > > > http://www.ISAserver.org > > > > Hi Thomas, > > > > I here that the next round of this type of attack may indeed be > > *.gif or some other variant. > > > > Joseph > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: Wednesday, January 04, 2006 10:33 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: WMF Vunrability > > > > http://www.ISAserver.org > > > > Hi Joseph, > > > > Yes, I knew what .wmf meant, was just have some fun there :) > > > > You could change the application that opens the .wmf file, but what > > if they change the file extension to .doc or .xls or .gif? I think > > you still end up getting whacked. > > > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > **Who is John Galt?** > > > > > > > > > -----Original Message----- > > > From: JosephK [mailto:josephk@xxxxxxxxx] > > > Sent: Wednesday, January 04, 2006 12:03 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: WMF Vunrability > > > > > > http://www.ISAserver.org > > > > > > Hi Thomas, > > > > > > WMF -- Um, this is a family list! But, I could also think of a few > > > more things. Google desktop indexing has a flaw...If some > > > unsuspecting user sets it up incorrectly or some goof uses it on a > > > corporate network, then, the indexing process can show up on the > > > internet! Now that's why I don't use trash like that. > > > > > > I'm sure you knew that *.wmf was for windows meta file. > > Changing the > > > program that opens that to notepad actually works. At least > > in my test > > > environment. > > > > > > Thank you, > > > Joseph > > > > > > -----Original Message----- > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > > Sent: Wednesday, January 04, 2006 10:03 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: WMF Vunrability > > > > > > http://www.ISAserver.org > > > > > > Hi Jospeh, > > > > > > I read that even if you use Google indexing service on your > > > computer, it will whack you when the WMF is accessed. > > > > > > BTW, what does WMF stand for? I can think of a few things right > > > now :)) > > > > > > Tom > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://spaces.msn.com/members/drisa/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > > **Who is John Galt?** > > > > > > > > > > > > > -----Original Message----- > > > > From: JosephK [mailto:josephk@xxxxxxxxx] > > > > Sent: Wednesday, January 04, 2006 11:53 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: WMF Vunrability > > > > > > > > http://www.ISAserver.org > > > > > > > > Another minor way to fix this from the desktop point of view and > > > > yes it is a pain in the ass. Change the program that opens up > > > > *.wmf (fax > > > > viewer) to use > > > > notepad instead. Not very feasible though with a real large shop. > > > > > > > > Joseph > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Edgardo Balansay [mailto:balansay@xxxxxxxxx] > > > > Sent: Wednesday, January 04, 2006 9:49 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: WMF Vunrability > > > > > > > > http://www.ISAserver.org > > > > I have been thinking similar to "Thor" in that, "... have you > > > > found the application/x-msmetafile mime block is all you have to > > > > do?" > > > > As .wmf file type is listed as > > > > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/mim > > > > etypes.msp > > > > x > > > > > > > > However Jim Harrison, mentions, "...use pattern matching in the > > > > response stream. Request and response headers are ok unless the > > "bad place" > > > > decides to spoof them." > > > > > > > > So application/x-msmetafile mime block does not completely block > > > > the wmf type of files? Is what Jim is saying is that the "bad > > > place" may spoof > > > > the headers, and Windows will continue to open the file with the > > > > vulnerable application/dll? > > > > > > > > But doesn't ISA Application Filter and therefore able to block > > > > the specific mime type for *.wmf regardless of headers? Much > > > like how it > > > > blocks executables regardless of extension? > > > > > > > > Just attempting to add to the discussion, thanks! > > > > Edgardo > > > > > > > > (BTW: above quotes are taken from the "OT - texas hold em" > > > > thread) > > > > ------------------------------------------------------ List > > > Archives: > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server > > > > Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server > > > > FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > ------------------------------------------------------ Visit > > > > TechGenix.com for more information about our other sites: > > > > http://www.techgenix.com > > > > ------------------------------------------------------ You are > > > > currently subscribed to this ISAserver.org Discussion List as: > > > josephk@xxxxxxxxx > > > > To unsubscribe visit > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > ------------------------------------------------------ > > > > List Archives: > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > > ISA Server FAQ: > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > ------------------------------------------------------ > > > > Visit TechGenix.com for more information about our other sites: > > > > http://www.techgenix.com > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org Discussion > > > > List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > > > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > josephk@xxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > > > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List > > > as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > josephk@xxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List > > as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > josephk@xxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tradtke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jwatts@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx