Hi Edgardo, Remember that the ISA firewall is a extensible platform, especially in respect to its application layer inspection feature set. David F from GFI noted that GFI WebMonitor 3.0 will block this at the application layer inspection level. Check my blog for one approach you can take to solving the problem. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls **Who is John Galt?** ________________________________ From: Edgardo Balansay [mailto:balansay@xxxxxxxxx] Sent: Wednesday, January 04, 2006 11:49 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vunrability http://www.ISAserver.org I have been thinking similar to "Thor" in that, "... have you found the application/x-msmetafile mime block is all you have to do?" As .wmf file type is listed as http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/mimetypes.msp x However Jim Harrison, mentions, "...use pattern matching in the response stream. Request and response headers are ok unless the "bad place" decides to spoof them." So application/x-msmetafile mime block does not completely block the wmf type of files? Is what Jim is saying is that the "bad place" may spoof the headers, and Windows will continue to open the file with the vulnerable application/dll? But doesn't ISA Application Filter and therefore able to block the specific mime type for *.wmf regardless of headers? Much like how it blocks executables regardless of extension? Just attempting to add to the discussion, thanks! Edgardo (BTW: above quotes are taken from the "OT - texas hold em" thread) ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx