Hi Joseph, Yes, I knew what .wmf meant, was just have some fun there :) You could change the application that opens the .wmf file, but what if they change the file extension to .doc or .xls or .gif? I think you still end up getting whacked. Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: JosephK [mailto:josephk@xxxxxxxxx] > Sent: Wednesday, January 04, 2006 12:03 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: WMF Vunrability > > http://www.ISAserver.org > > Hi Thomas, > > WMF -- Um, this is a family list! But, I could also think of > a few more > things. Google desktop indexing has a flaw...If some > unsuspecting user > sets it up incorrectly or some goof uses it on a corporate network, > then, the indexing process can show up on the internet! Now that's > why I don't use trash like that. > > I'm sure you knew that *.wmf was for windows meta file. Changing the > program that opens that to notepad actually works. At least in my test > environment. > > Thank you, > Joseph > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, January 04, 2006 10:03 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: WMF Vunrability > > http://www.ISAserver.org > > Hi Jospeh, > > I read that even if you use Google indexing service on your > computer, it > will whack you when the WMF is accessed. > > BTW, what does WMF stand for? I can think of a few things > right now :)) > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: JosephK [mailto:josephk@xxxxxxxxx] > > Sent: Wednesday, January 04, 2006 11:53 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: WMF Vunrability > > > > http://www.ISAserver.org > > > > Another minor way to fix this from the desktop point of view > > and yes it > > is a pain in the ass. Change the program that opens up *.wmf (fax > > viewer) to use > > notepad instead. Not very feasible though with a real large shop. > > > > Joseph > > > > > > > > -----Original Message----- > > From: Edgardo Balansay [mailto:balansay@xxxxxxxxx] > > Sent: Wednesday, January 04, 2006 9:49 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: WMF Vunrability > > > > http://www.ISAserver.org > > I have been thinking similar to "Thor" in that, "... have you > > found the > > application/x-msmetafile mime block is all you have to do?" > > As .wmf file type is listed as > > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/mim > > etypes.msp > > x > > > > However Jim Harrison, mentions, "...use pattern matching in > > the response > > stream. Request and response headers are ok unless the "bad place" > > decides to spoof them." > > > > So application/x-msmetafile mime block does not completely > > block the wmf > > type of files? Is what Jim is saying is that the "bad > place" may spoof > > the headers, and Windows will continue to open the file with the > > vulnerable application/dll? > > > > But doesn't ISA Application Filter and therefore able to block the > > specific mime type for *.wmf regardless of headers? Much > like how it > > blocks executables regardless of extension? > > > > Just attempting to add to the discussion, thanks! > > Edgardo > > > > (BTW: above quotes are taken from the "OT - texas hold em" thread) > > ------------------------------------------------------ List > Archives: > > http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server > > Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server > > FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ Visit > > TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ You > > are currently > > subscribed to this ISAserver.org Discussion List as: > josephk@xxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > josephk@xxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >