Blocking those WMF's at the email border

re: Blocking those WMF's at the email border

Nikki — Fri, 20 Oct 2006 00:03:51 GMT

goodsite.NikkfromLA.(USA)http://megspace.com/lifestyles/uldiaz1/10mg-diazepam.html

Start of the New Year

Nick Whittome - "The Naked MVP" — Tue, 03 Jan 2006 08:28:34 GMT

Back to work for me…&nbsp;&nbsp;&nbsp; I am sure that today people will be calling the office to ask...

Start of the New Year

Nick Whittome - "The Naked MVP" — Tue, 03 Jan 2006 08:28:22 GMT

Back to work for me…&nbsp;&nbsp;&nbsp; I am sure that today people will be calling the office to ask...

Conscientious Risk Management and WMF

Jesper's Blog — Mon, 02 Jan 2006 20:02:49 GMT

This past week there have been a lot of questions about the WMF vulnerability, what Microsoft is doing,...

Conscientious Risk Management and WMF

Jesper's Blog — Mon, 02 Jan 2006 19:41:33 GMT

This past week there have been a lot of questions about the WMF vulnerability, what Microsoft is doing,...

Are you WMF'd to death yet?

Dana Epp's ramblings at the Sanctuary — Fri, 30 Dec 2005 23:52:36 GMT

Wondering why you haven't seen any feedback from me on the most recent 0-day exploit on Windows, which takes advantage of a vulnerability in the graphics rendering engine? I took a vacation away from the computer for a few days to catch up on some technical reading, and come back to a plethora of information that pretty much sums up anything I would say. In a blog post in the next few days, I will post just WHAT I was reading, as its pretty interesting. I'm shaking my head as I absorb some of this new stuff. Anyways, as a summary of the past few days where the world has been screaming that the sky is falling, here is the nitty gritty that matters (at least from my POV) Before you do anything, go read the Microsoft Security Advisory (MSA 912840) on the matter. According to guys over at Sunbelt, Microsoft may be incorrectly stating that software DEP will help mitigate against this threat. Seems that hardware DEP works, software DEP from Microsoft does not. No one has reported if some of the other software DEP agents defend against this attack or not. Susan has a great post on how to filter out WMF attachments on Exchange. Jesper has an excellent post on how to block certain extensions with ISA. Even when he goes on holidays he has time to play with ISA :) The easiest fix (temporarily) is to unregister the vulnerable code, using "REGSVR32 /U SHIMGVW.DLL" (without the quotes of course) from Start->Run I disagree with Susan that it is too drastic to unregister the DLL. It's quite trival a fix to signficantly mitigate against this threat without impacting the rest of the system. So you don't get pretty thumbnails. But you do prevent the exploit through this attack vector (I will point out it won't stop against someone opening an exploited WMF in MS Paint etc). And with the ability to push this out to all the desktops pretty quickly with a script... it takes no time to toggle it on/off. YMMV of course. That's pretty much all you will hear from me on the WMF issue for now. You can read the other 1,000,000 blog posts about it for more information....

re: Blocking those WMF's at the email border

Alun Jones — Thu, 29 Dec 2005 17:09:48 GMT

This is true - content is what matters, not extension. As for "any extension", that's not quite true - you would need an extension that feeds into the graphics rendering engine. If you feel that's a sufficiently dangerous threat to concern yourself with it, you could block all graphics, or you could block all files with content that identifies it as a WMF, if you have a content-based filter.

re: Blocking those WMF's at the email border

Alex Lee — Thu, 29 Dec 2005 15:05:50 GMT

There are reports that for this exploit, a malicious file can carry any extension. Not just WMF. See the 23:19 update on this Internet Storm Center Handler's Diary(http://isc.sans.org/diary.php?date=2005-12-29).

On the other hand, Susan's post is more about the mechanics of blocking files by extension right on your server. Nice.

re: Blocking those WMF's at the email border

Nick Pieters — Thu, 29 Dec 2005 09:47:47 GMT

Well i don't know if trend is checking also checking the mails who come from the pop3 connector, guess so.

I did everything on my isa server, smtp screener installed and blocked wmf for emails and downloads/http.

Fun thing is that it works also for pop3 connector, so it works verry effectively for spam even with pop3 connector!