Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: RE: Blocking WMF Files via Squid

RE: Blocking WMF Files via Squid

From: Jason Burzenski <Jason.Burzenski_at_americanhm.com>
Date: Tue, 3 Jan 2006 12:49:38 -0500

According to MS blocking WMF files won't help. Are you seeing the
majority of exploits coming in as WMF file extensions? If you are, then
your squid mitigation should definitely help. Thanks for the tip.

>From advisory 912840:

If I block .wmf files by extension, can this protect me against attempts
to exploit this vulnerability?
No. Because the Graphics Rendering Engine determines file type by means
other than just looking at the file extensions, it is possible for WMF
files with changed extensions to still be rendered in a way that could
exploit the vulnerability.

-----Original Message-----
From: Gaddis, Jeremy L. [mailto:jeremy_at_linuxwiz.net]
Sent: Thursday, December 29, 2005 10:17 PM
To: Security Basics List
Subject: Blocking WMF Files via Squid

In response to the new 0-day WMF exploit, the educational institution
for which I work recently took two steps to mitigate a possible
infection.

The first step was filtering files with the ".wmf" extension at the
e-mail gateway via McAfee's Groupshield. The other step was to block
URLs ending in ".wmf" through Squid, the caching proxy server (through
which all of our HTTP traffic is transparently proxied).

I have detailed the few steps that were needed to do this at
http://www.jeremygaddis.com/2005/12/29/blocking-wmf-at-the-perimeter/
in the event that it might be useful for others looking to do the same.

Please feel free to comment or provide feedback that may be of benefit.

Thanks,
-j

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------
Received on Jan 04 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]