Re: Blocking WMF Files via Squid

[bugtraq () jammeh co uk]

Gaddis, Jeremy L. wrote:
> In response to the new 0-day WMF exploit, the educational institution 
> for which I work recently took two steps to mitigate a possible infection.
>
> The first step was filtering files with the ".wmf" extension at the 
> e-mail gateway via McAfee's Groupshield.  The other step was to block 
> URLs ending in ".wmf" through Squid, the caching proxy server (through 
> which all of our HTTP traffic is transparently proxied).
>
> I have detailed the few steps that were needed to do this at 
> http://www.jeremygaddis.com/2005/12/29/blocking-wmf-at-the-perimeter/
> in the event that it might be useful for others looking to do the same.
>
> Please feel free to comment or provide feedback that may be of benefit.
>
> Thanks,
> -j
Sorry if the below has already been posted to list...

This is useful, but it's also interesting to see that on the whole a 
.wmf renamed with extension .jpg will slip though simple file*name* 
blocking.  Filetype checking is required.  Something which might be good 
for people to flag early.

Ref: http://vil.nai.com/vil/content/v_137760.htm

Cheers
James

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------