RE: WMF Vunrability

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 4 Jan 2006 09:56:10 -0800

You have to inform ISA of what to use to identify the "bad stuff".
It doesn't have predefined patterns (what a perf killer that would be!). 
I'm working with the MSRC folks to define a workable HTTP filter.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Edgardo Balansay [mailto:balansay@xxxxxxxxx] 
Sent: Wednesday, January 04, 2006 09:49
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vunrability

http://www.ISAserver.org
I have been thinking similar to "Thor" in that, "... have you found the 
application/x-msmetafile mime block is all you have to do?"
As .wmf file type is listed as 
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/mimetypes.mspx
 
However Jim Harrison, mentions, "...use pattern matching in the response 
stream.  Request and response headers are ok unless the "bad place" decides to 
spoof them." 
 
So application/x-msmetafile mime block does not completely block the wmf type 
of files? Is what Jim is saying is that the "bad place" may spoof the headers, 
and Windows will continue to open the file with the vulnerable application/dll? 
 
But doesn't ISA Application Filter and therefore able to block the specific 
mime type for *.wmf regardless of headers?  Much like how it blocks executables 
regardless of extension?
 
Just attempting to add to the discussion, thanks!
Edgardo
 
(BTW: above quotes are taken from the "OT - texas hold em" thread)
------------------------------------------------------ List Archives: 
http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: 
http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: 
http://www.isaserver.org/pages/larticle.asp?type=FAQ 
------------------------------------------------------ Visit TechGenix.com for 
more information about our other sites: http://www.techgenix.com 
------------------------------------------------------ You are currently 
subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To 
unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report 
abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---