RE: WMF Vunrability

That's up to you.
The point of this filter is to give you time to patch vulnerable
systems.
It will behave the same whether your systems are vulnerable or not.

The biggest point is the potential for performance impact.  Every HTTP
filter definition that you add costs CPU cycles (TANSSTAAFL).  If you
don't notice any performance degradation after installing the filter
definitions, then leave them in place.

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------

-----Original Message-----
From: Ara Avvali [mailto:ara.avvali@xxxxxxxxxxxxx] 
Sent: Friday, January 06, 2006 11:13 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vunrability

http://www.ISAserver.org

With wsus patched all systems with recently released update, is it still
necessary to keep this filter? 

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Wednesday, January 04, 2006 5:57 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vunrability

http://www.ISAserver.org

Updated:

HTTP filter settings (you all know how to get there).

1. Extensions: 
<choice>
   Set "block specified"
   Add .emf
   Description="application/x-msmetafile"
   Add .wmf
   Description="application/x-msmetafile"
</choice>
<choice>
   Set "allow specified"
   Remove .emf
   Remove .wmf
</choice>
<notachoice>
   Set "allow all"
</notachoice>

2. Signatures:
   Name=WMF-1
   Description="request file type trigger"
   Type="Request URL"
   Signature=".emf"

   Name=WMF-2
   Description="request file type trigger"
   Type="Request URL"
   Signature=".wmf"

   Name=WMF-3
   Description="response headers trigger"
   Type="Response Headers"
   HTTP Header="content-type"
   Signature="msmetafile"

   Name=WMF-4
   Description="response body file type trigger"
   Type="Response Body"
   Signature=".emf"

   Name=WMF-5
   Description="response body file type trigger"
   Type="Response Body"
   Signature=".wmf"

   Name=WMF-6
   Description="response body file header trigger"
   Type="Response Body"
   Signature="184Gmg"

WMF-6 is the kewl one because all binary files are base-64 encoded when
transferred over HTTP and FTP.
WMF files usually incorporate a predefined header value that resolves to
the Base-64 signature in this definition.
It's probably the same technique as the GFI filter, except not as smart.



-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Wednesday, January 04, 2006 16:03
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vunrability

http://www.ISAserver.org

HTTP filter settings (you all know how to get there).

1. Extensions: 
<choice>
   Set "block specified"
   Add .emf
   Description="application/x-msmetafile"
   Add .wmf
   Description="application/x-msmetafile"
</choice>
<choice>
   Set "allow specified"
   Remove .emf
   Remove .wmf
</choice>
<notachoice>
   Set "allow all"
</notachoice>

2. Signatures:
   Name=WMF-1
   Description="request file type trigger"
   Type="Request URL"
   Signature=".emf"

   Name=WMF-2
   Description="request file type trigger"
   Type="Request URL"
   Signature=".wmf"

   Name=WMF-3
   Description="response headers trigger"
   Type="Response Headers"
   HTTP Header="content-type"
   Signature="msmetafile"

   Name=WMF-4
   Description="response body file type trigger"
   Type="Response Body"
   Signature=".emf"

   Name=WMF-5
   Description="response body file type trigger"
   Type="Response Body"
   Signature=".wmf"

   Name=WMF-6
   Description="response body file header trigger"
   Type="Response Body"
   Signature="184Gmg"

WMF-6 is the kewl one because all binary files are base-64 encoded when
transferred over HTTP and FTP.
WMF files usually incorporate a predefined header value that resolves to
the Base-64 signature in this definition.
It's probably the same technique as the GFI filter, except not as smart.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, January 04, 2006 15:27
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vunrability

http://www.ISAserver.org

Hey Jim,

Forget about the automation, just let us know what to do :)

Thanks!
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 04, 2006 2:18 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
> 
> http://www.ISAserver.org
> 
> Sorry - I haven't.
> I'm working with MSRC to narrow down the definitions and automation 
> for the ISA 2004 blocker.
> 
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Wednesday, January 04, 2006 11:45
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
> 
> http://www.ISAserver.org
> 
> Jim, did you read this?  I'm wondering if the method described to 
> "block extensions" is correct or not.  Rather than using "Configure 
> HTTP" and setting allowable extensions, I though one should explicitly

> create a deny rule specifying both the .wmf extension *as well* as 
> application/x-msmetafile as the MIME type.  Incoming HTTP file 
> associations are handled by MIME type, not file extension.  Only when 
> there is no MIME type handed down by the server is a file extension 
> used (or when you do an actual file transfer, like with FTP.)
> 
> Comments on that?
> 
> t
> 
> 
> 
> -----
> "I may disapprove of what you say,
> but I will defend to the death your
> right to say it."
> 
> 
> ----- Original Message -----
> From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, January 04, 2006 11:24 AM
> Subject: [isalist] RE: WMF Vunrability
> 
> 
> > http://www.ISAserver.org
> >
> > Hey guys,
> >
> > Check out
> > 
> http://blogs.technet.com/jesper_johansson/archive/2006/01/02/4
> 16762.aspx
> > too
> > ;-)
> >
> > HTH,
> > Stefaan
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: woensdag 4 januari 2006 20:16
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vunrability
> >
> > http://www.ISAserver.org
> >
> > Hi Tim,
> >
> > I agree. There seems to be than the ususal amount of FUD
> associated with
> > this problem. :(
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> >> -----Original Message-----
> >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >> Sent: Wednesday, January 04, 2006 1:01 PM
> >> To: [ISAserver.org Discussion List]
> >> Subject: [isalist] RE: WMF Vunrability
> >>
> >> http://www.ISAserver.org
> >>
> >> I wouldn't call it "program like behavior."  They just contain both

> >> metadata and rendering data in the same file (as I understand it.)
> >>
> >> Renaming the file to something like ".gif" or ".jpg" could
> still cause
> >> execution if loaded from a file, but only if the Picture and Fax 
> >> Viewer was the default program for those file types.  From
> a browser,
> >> for WP&FV to open it and parse the data, it has to be that
> MIME type
> >> (again, as I understand
> >> it.)
> >>
> >> While I've read here that the "way to do it" is how GFI
> does it, I've
> >> still not seen any information on why simple content
> filtering won't
> >> work.  But then again, I read where Jim is working with
> MSRC to come
> >> up with a "workable" filter.  It would be nice to get some 
> >> authoritative, detailed information on why MIME and file type 
> >> filtering *won't* work.
> >>
> >> t
> >>
> >>
> >> -----
> >> "I may disapprove of what you say,
> >> but I will defend to the death your right to say it."
> >>
> >>
> >> ----- Original Message -----
> >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> >> Sent: Wednesday, January 04, 2006 10:31 AM
> >> Subject: [isalist] RE: WMF Vunrability
> >>
> >>
> >> http://www.ISAserver.org
> >>
> >> Hi Tim,
> >>
> >> Don't know about that, but it's a good question. But I
> have to wonder
> >> about other apps that  open the WMF files. FWIU, WMF files
> have some
> >> program like behavior that allow it to call other programs if 
> >> something doesn't work.
> >>
> >> How's that as a erudite description for a process? :)
> >>
> >> Tom
> >>
> >> Thomas W Shinder, M.D.
> >> Site: www.isaserver.org
> >> Blog: http://spaces.msn.com/members/drisa/
> >> Book: http://tinyurl.com/3xqb7
> >> MVP -- ISA Firewalls
> >> **Who is John Galt?**
> >>
> >>
> >>
> >> > -----Original Message-----
> >> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >> > Sent: Wednesday, January 04, 2006 12:13 PM
> >> > To: [ISAserver.org Discussion List]
> >> > Subject: [isalist] RE: WMF Vunrability
> >> >
> >> > http://www.ISAserver.org
> >> >
> >> > But if he sets a differnt mime type, Fax Viewer won't open the 
> >> > program, right?
> >> >
> >> > t
> >> > -----
> >> > "I may disapprove of what you say, but I will defend to the death

> >> > your right to say it."
> >> >
> >> >
> >> > ----- Original Message -----
> >> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> >> > Sent: Wednesday, January 04, 2006 9:32 AM
> >> > Subject: [isalist] RE: WMF Vunrability
> >> >
> >> >
> >> > http://www.ISAserver.org
> >> >
> >> > Hi Jonathon,
> >> >
> >> > That won't work, because the scumbag can use any file
> name he wants.
> >> > Same goes with the MIME type. The MIME type is set at the Web 
> >> > server, so the scumbag can associate any MIME type he wants.
> >> >
> >> > Tom
> >> >
> >> > Thomas W Shinder, M.D.
> >> > Site: www.isaserver.org
> >> > Blog: http://spaces.msn.com/members/drisa/
> >> > Book: http://tinyurl.com/3xqb7
> >> > MVP -- ISA Firewalls
> >> > **Who is John Galt?**
> >> >
> >> >
> >> >
> >> > > -----Original Message-----
> >> > > From: Jonathon J. Howey [mailto:Jonathon@xxxxxxx]
> >> > > Sent: Wednesday, January 04, 2006 11:25 AM
> >> > > To: [ISAserver.org Discussion List]
> >> > > Subject: [isalist] RE: WMF Vunrability
> >> > >
> >> > > http://www.ISAserver.org
> >> > >
> >> > > What I did to block it was:
> >> > >
> >> > > Internet Access Policy -> Protocols tab -> Filtering ->
> >> > Configure HTTP
> >> > > -> Extensions tab.  Should be self explanatory from there.
> >> > >
> >> > >
> >> > >
> >> > > Jonathon J. Howey
> >> > > KPSA Compliance Management Inc.
> >> > > P 780.409.5620
> >> > > F 780.409.5621
> >> > > D 780.409.5628
> >> > > C 780.965.8363
> >> > > Jonathon@xxxxxxx
> >> > >
> >> > > Guiding the Future of Transportation www.KPSA.ca
> >> > >
> >> > >
> >> > >
> >> > > -----Original Message-----
> >> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> >> > > Sent: January 4, 2006 10:12 AM
> >> > > To: [ISAserver.org Discussion List]
> >> > > Subject: [isalist] RE: WMF Vunrability
> >> > >
> >> > > http://www.ISAserver.org
> >> > >
> >> > > He never stated what his "block" was.
> >> > >
> >> > >
> >> > > -------------------------------------------------------
> >> > >    Jim Harrison
> >> > >    MCP(NT4, W2K), A+, Network+, PCG
> >> > >    http://isaserver.org/Jim_Harrison/
> >> > >    http://isatools.org
> >> > >    Read the help / books / articles!
> >> > > -------------------------------------------------------
> >> > >
> >> > >
> >> > > -----Original Message-----
> >> > > From: Brian Boyes [mailto:BrianB@xxxxxxxxx]
> >> > > Sent: Wednesday, January 04, 2006 09:02
> >> > > To: [ISAserver.org Discussion List]
> >> > > Subject: [isalist] RE: WMF Vunrability
> >> > >
> >> > > http://www.ISAserver.org
> >> > >
> >> > > > I have installed the "wmf" block to my ISA 2004 clients but
> >> > > I not sure
> >> > >
> >> > > > how to set this up for ISA 2000.
> >> > > > Could someone provide advice of the best way to do this.
> >> > >
> >> > > Did anyone ever post an answer? I'm curious about this
> >> "wmf block".
> >> > >
> >> > > Brian
> >> > >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as: 
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> jim@xxxxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara.avvali@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.



Other related posts: