Thanks Jim good work Greg Mulholland ________________________________ From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Tue 10/01/2006 5:00 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vulnerability Script Fix - Attn Jim http://www.ISAserver.org Ok - thanx to all who reported. V1.2 is on http://isatools.org/block_wmf.zip. I've changed the WMF-4 and -5 signatures to use "content-disposition" instead of "blank". This is what was causing the crashes in the HTTP Filter. Not to worry; this has been fixed in SP2, which coincidentally is why I didn't see it. Also, you should manually remove these filters (yes, all of them) from any web publishing rule that is servicing RPC/HTTP traffic. It seems that *any* filter definitions cause ISA to trash this traffic (*really* secure, huh?). Also, since some folks have had crashing problems, I've created a script to get you out of trouble faster. Unblock_wmf.vbs is your panic button and is included in the package. It completely reverts the changes wrought by block_wmf.vbs. Updated actions: 1. backs up your current config 2. examines Enterprise (EE) and all arrays 3. within each Enterprise policy and array, it examines all rules. If the rule is: - "allow" - not "default" - includes the Web Proxy filter ..it updates the HTTP Filter settings as: Extensions: If "block specified" Add .emf Add .wmf If "allow specified" Remove .emf Remove .wmf Signatures: Name=WMF-1 Description=" request url '.emf' file type trigger" Type="Request URL" Signature=".emf" Name=WMF-2 Description=" request url '.wmf' file type trigger" Type="Request URL" Signature=".wmf" Name=WMF-3 Description=" response headers content-type trigger" Type="Response Headers" HTTP Header="content-type" Signature="msmetafile" Name=WMF-4 Description=" response header '.emf' file type trigger" Type="Response Headers" HTTP Header=" content-disposition " Signature=".emf" Name=WMF-5 Desctiption=" response header '.wmf' file type trigger" Type="Response Headers" HTTP Header="content-disposition" Signature=".wmf" Name=WMF-6 Description=" response body '.emf' file type trigger " Type="Response Body" Signature=".emf" Name=WMF-7 Description=" response body '.wmf' file type trigger " Type="Response Body" Signature=".wmf" Name=WMF-8 Description=" response body base-64 file header trigger " Type="Response Body" Signature="184Gmg" -------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------- -----Original Message----- From: Paul Noble [mailto:pnoble@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Monday, January 09, 2006 7:53 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vulnerability Script Fix - Attn Jim http://www.ISAserver.org WMF-4 'response header '.emf' file type WMF-5 'response header '.wmf' file type -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Monday, January 09, 2006 2:37 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vulnerability Script Fix - Attn Jim http://www.ISAserver.org Which ones? -------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------- -----Original Message----- From: Paul Noble [mailto:pnoble@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Monday, January 09, 2006 5:25 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vulnerability Script Fix - Attn Jim http://www.ISAserver.org This is the same issue Joe and myself ran into, but I found on my server it seemed to just be the additional header entries on 1.1 that caused it to bum out, cleared the ticks on that and 1.1 is working fine. -----Original Message----- From: Paul Crisp [mailto:pcrisp@xxxxxxxxxxxxxxxxx] Sent: Monday, January 09, 2006 10:53 AM To: [ISAserver.org Discussion List] Subject: [isalist] WMF Vulnerability Script Fix - Attn Jim http://www.ISAserver.org Hi Jim Ok, i confirmed to you on Friday 6th that your new script was working with my firewalls without a problem. I then noticed that a newer version was posted so updated my firewalls this morning, now after 10mins the Microsoft Firewall service crashes with the following two messages in the event log: The Firewall service stopped because an application filter module C:\Program Files\Microsoft ISA Server\HttpFilter.dll generated an exception code C0000005 in address 60FF647F when function CompleteAsyncIO was called. To resolve this error, remove recently installed application filters and restart the service. Faulting application wspsrv.exe, version 4.0.2163.213, stamp 420bdbd0, faulting module httpfilter.dll, version 4.0.2163.213, stamp 420bdb2f, debug? 0, fault address 0x0001647f. I have now removed the filters from both my firewalls and all appears to be working before ever installing the script Any clues? Regards Paul Crisp All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx