Home page logo
/

basics logo Security Basics mailing list archives

Re: Blocking WMF Files via Squid
From: "Gyenyami InvestinLoss" <d69frk () hotmail com>
Date: Thu, 05 Jan 2006 20:06:54 +0000

Yes it is a great Idea, there are also IDS flags at Bleeding Snort that will also help at the perimeter. Keep in mind also the UN OF patch thats out there not to beat a dead horse though.


Jasun Tate CEH,NET+
Network Security Engineer ICW


From: "Robert J. Stull" <Stull_Robert_J () cat com>
To: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
CC: Security Basics List <security-basics () securityfocus com>
Subject: Re: Blocking WMF Files via Squid
Date: Tue, 3 Jan 2006 13:18:19 -0500





I think this is a good idea, but  it is not only *.wmf extensions that have
this vulnerability, it is all files that have windows metafile headers that
will open with the Windows Picture and Fax Viewer. As long as your AV is
up-to-date you should be fine, however, it's not as fun, nor educational,
as what you did. What would be nice is if their was a way to filter these
type of headers.

Their was an email to bugtraq (Arian Evans) explaining in detail this
exploit, if anyone wants it I can forward it to the group, I just don't
want to repeat it if everyone has already read it.




R. James Stull
Network Administrator
Email - stullrj () cat com



             "Gaddis, Jeremy
             L."
<jeremy () linuxwiz net> To
                                                                        To
             12/29/2005 10:17          Security Basics List
             PM                        <security-basics () securityfocus com>
                                                                        cc





                                                                   Subject
                                       Blocking WMF Files via Squid









Caterpillar: Confidential Green                 Retain Until: 02/02/2006
                                                Retention Category:  G90 -
                                                General
                                                Matters/Administration


In response to the new 0-day WMF exploit, the educational institution
for which I work recently took two steps to mitigate a possible infection.

The first step was filtering files with the ".wmf" extension at the
e-mail gateway via McAfee's Groupshield.  The other step was to block
URLs ending in ".wmf" through Squid, the caching proxy server (through
which all of our HTTP traffic is transparently proxied).

I have detailed the few steps that were needed to do this at
http://www.jeremygaddis.com/2005/12/29/blocking-wmf-at-the-perimeter/
in the event that it might be useful for others looking to do the same.

Please feel free to comment or provide feedback that may be of benefit.

Thanks,
-j

--
Jeremy L. Gaddis, GCWN, Linux+, Network+
http://www.jeremygaddis.com/

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------





---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]