IDS mailing list archives

RE: WMF and IPS products?

From: "Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>
Date: Thu, 5 Jan 2006 17:29:33 -0500

<I work for ISS.>

ISS products protect against attempts to exploit the WMF vulnerability.

The protection module in these products parses all of the major
protocols as well as the most of the major file formats as they cross
the network.

So, for example, the products can parse SMTP, find the MIME encoded
message, find the BASE64 encoded WMF file attached as "harmless.gif",
normalize the BASE64, recognize that the attachment is a WMF file in
spite of its name, parse the WMF file, and recognize the combination of
features an intruder might use to exploit a vulnerable system and block
the traffic if they are present.

As another example, the products can parse HTTP, recognize the download
of a compressed (or deflated) harmless.html, decompress (or inflate) it,
recognize that it is actually a WMF file, and once again recognize the
combination of features an intruder might use to exploit a vulnerable
system and block the traffic if they are present.

If you use the Desktop Protector product, you have additional layers of
protection (that is, protection in depth). The product's buffer overflow
protection provides protection against some of the exploits. Likewise,
the behavioral A/V component also recognizes and quarantines most of the
known exploits (and if the past is any indication of the future) most of
the unknown exploits.

Paul

-----Original Message-----
From: Sam Evans [mailto:wintrmte () gmail com] 
Sent: Wednesday, January 04, 2006 5:43 PM
To: focus-ids () securityfocus com
Subject: WMF and IPS products?


I am curious if any of the major IPS vendors are able to successfully
protect workstations from downloading malicious WMF content?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

WMF and IPS products? Sam Evans (Jan 05)
- Re: WMF and IPS products? Haseeb Abdali (Jan 09)
  - Re: WMF and IPS products? David W. Goodrum (Jan 10)
- Re: WMF and IPS products? Jason Haar (Jan 11)
- RE: WMF and IPS products? Mike Barkett (Jan 11)
  - RE: WMF and IPS products? Alan Shimel (Jan 11)
- Re: WMF and IPS products? Pukhraj Singh (Jan 11)
- <Possible follow-ups>
- RE: WMF and IPS products? Murat Korkmaz (Jan 11)
- RE: WMF and IPS products? Palmer, Paul (ISSAtlanta) (Jan 11)
- RE: WMF and IPS products? Mills, Alvin R (Jan 11)