RE: WMF Vunrability

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 4 Jan 2006 12:33:25 -0600

Hi Joseph,

Yes, I knew what .wmf meant, was just have some fun there :)

You could change the application that opens the .wmf file, but what if
they change the file extension to .doc or .xls or .gif? I think you
still end up getting whacked.

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: JosephK [mailto:josephk@xxxxxxxxx] 
> Sent: Wednesday, January 04, 2006 12:03 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
> 
> http://www.ISAserver.org
> 
> Hi Thomas,
> 
> WMF -- Um, this is a family list! But, I could also think of 
> a few more
> things.  Google desktop indexing has a flaw...If some 
> unsuspecting user
> sets it up incorrectly or some goof uses it on a corporate network,
> then, the indexing process can show up on the internet!  Now that's
> why I don't use trash like that. 
> 
> I'm sure you knew that *.wmf was for windows meta file.  Changing the 
> program that opens that to notepad actually works. At least in my test
> environment.  
> 
> Thank you,
> Joseph
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: Wednesday, January 04, 2006 10:03 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
> 
> http://www.ISAserver.org
> 
> Hi Jospeh,
> 
> I read that even if you use Google indexing service on your 
> computer, it
> will whack you when the WMF is accessed.
> 
> BTW, what does WMF stand for? I can think of a few things 
> right now :))
> 
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
>  
> 
> > -----Original Message-----
> > From: JosephK [mailto:josephk@xxxxxxxxx] 
> > Sent: Wednesday, January 04, 2006 11:53 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vunrability
> > 
> > http://www.ISAserver.org
> > 
> > Another minor way to fix this from the desktop point of view 
> > and yes it
> > is a pain in the ass. Change the program that opens up *.wmf (fax
> > viewer) to use
> > notepad instead.  Not very feasible though with a real large shop.
> > 
> > Joseph
> > 
> > 
> > 
> > -----Original Message-----
> > From: Edgardo Balansay [mailto:balansay@xxxxxxxxx] 
> > Sent: Wednesday, January 04, 2006 9:49 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vunrability
> > 
> > http://www.ISAserver.org 
> > I have been thinking similar to "Thor" in that, "... have you 
> > found the
> > application/x-msmetafile mime block is all you have to do?"
> > As .wmf file type is listed as
> > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/mim
> > etypes.msp
> > x
> >  
> > However Jim Harrison, mentions, "...use pattern matching in 
> > the response
> > stream.  Request and response headers are ok unless the "bad place"
> > decides to spoof them." 
> >  
> > So application/x-msmetafile mime block does not completely 
> > block the wmf
> > type of files? Is what Jim is saying is that the "bad 
> place" may spoof
> > the headers, and Windows will continue to open the file with the
> > vulnerable application/dll? 
> >  
> > But doesn't ISA Application Filter and therefore able to block the
> > specific mime type for *.wmf regardless of headers?  Much 
> like how it
> > blocks executables regardless of extension?
> >  
> > Just attempting to add to the discussion, thanks!
> > Edgardo
> >  
> > (BTW: above quotes are taken from the "OT - texas hold em" thread)
> > ------------------------------------------------------ List 
> Archives:
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server
> > Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server
> > FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------ Visit
> > TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------ You 
> > are currently
> > subscribed to this ISAserver.org Discussion List as: 
> josephk@xxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> josephk@xxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

Other related posts:

• » WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability
• » RE: WMF Vunrability

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---