Security Basics mailing list archives
RE: Blocking WMF Files via Squid
From: "Jason Burzenski" <Jason.Burzenski () americanhm com>
Date: Tue, 3 Jan 2006 12:49:38 -0500
According to MS blocking WMF files won't help. Are you seeing the majority of exploits coming in as WMF file extensions? If you are, then your squid mitigation should definitely help. Thanks for the tip.
From advisory 912840:
If I block .wmf files by extension, can this protect me against attempts to exploit this vulnerability? No. Because the Graphics Rendering Engine determines file type by means other than just looking at the file extensions, it is possible for WMF files with changed extensions to still be rendered in a way that could exploit the vulnerability. -----Original Message----- From: Gaddis, Jeremy L. [mailto:jeremy () linuxwiz net] Sent: Thursday, December 29, 2005 10:17 PM To: Security Basics List Subject: Blocking WMF Files via Squid In response to the new 0-day WMF exploit, the educational institution for which I work recently took two steps to mitigate a possible infection. The first step was filtering files with the ".wmf" extension at the e-mail gateway via McAfee's Groupshield. The other step was to block URLs ending in ".wmf" through Squid, the caching proxy server (through which all of our HTTP traffic is transparently proxied). I have detailed the few steps that were needed to do this at http://www.jeremygaddis.com/2005/12/29/blocking-wmf-at-the-perimeter/ in the event that it might be useful for others looking to do the same. Please feel free to comment or provide feedback that may be of benefit. Thanks, -j --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Blocking WMF Files via Squid Gaddis, Jeremy L. (Jan 03)
- Re: Blocking WMF Files via Squid bugtraq (Jan 04)
- Re: Blocking WMF Files via Squid Gaddis, Jeremy L. (Jan 04)
- Re: Blocking WMF Files via Squid Robert J. Stull (Jan 04)
- Re: Blocking WMF Files via Squid Gyenyami InvestinLoss (Jan 05)
- Re: Blocking WMF Files via Squid bo . berlas (Jan 06)
- Re: Blocking WMF Files via Squid Gyenyami InvestinLoss (Jan 05)
- <Possible follow-ups>
- RE: Blocking WMF Files via Squid Jason Burzenski (Jan 04)