RE: WMF Vunrability
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 4 Jan 2006 12:02:59 -0600
Hi Jospeh,
I read that even if you use Google indexing service on your computer, it
will whack you when the WMF is accessed.
BTW, what does WMF stand for? I can think of a few things right now :))
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: JosephK [mailto:josephk@xxxxxxxxx]
> Sent: Wednesday, January 04, 2006 11:53 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
>
> http://www.ISAserver.org
>
> Another minor way to fix this from the desktop point of view
> and yes it
> is a pain in the ass. Change the program that opens up *.wmf (fax
> viewer) to use
> notepad instead. Not very feasible though with a real large shop.
>
> Joseph
>
>
>
> -----Original Message-----
> From: Edgardo Balansay [mailto:balansay@xxxxxxxxx]
> Sent: Wednesday, January 04, 2006 9:49 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
>
> http://www.ISAserver.org
> I have been thinking similar to "Thor" in that, "... have you
> found the
> application/x-msmetafile mime block is all you have to do?"
> As .wmf file type is listed as
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/mim
> etypes.msp
> x
>
> However Jim Harrison, mentions, "...use pattern matching in
> the response
> stream. Request and response headers are ok unless the "bad place"
> decides to spoof them."
>
> So application/x-msmetafile mime block does not completely
> block the wmf
> type of files? Is what Jim is saying is that the "bad place" may spoof
> the headers, and Windows will continue to open the file with the
> vulnerable application/dll?
>
> But doesn't ISA Application Filter and therefore able to block the
> specific mime type for *.wmf regardless of headers? Much like how it
> blocks executables regardless of extension?
>
> Just attempting to add to the discussion, thanks!
> Edgardo
>
> (BTW: above quotes are taken from the "OT - texas hold em" thread)
> ------------------------------------------------------ List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server
> Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server
> FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------ Visit
> TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------ You
> are currently
> subscribed to this ISAserver.org Discussion List as: josephk@xxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
