Windows WMF 0-day exploit (updated)
A 0-day exploit against the Windows Graphics Rendering Engine has been posted on Bugtraq. For more information see:
http://isc.sans.org/diary.php?storyid=972
http://www.securityfocus.com/bid/16074/info
http://vil.mcafeesecurity.com/vil/content/v_137760.htm
http://www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php
What can you do to protect your network:
1. Go to the 'Body Content Types' of your HTTP-Proxy and add '%0x010009000003%*' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.
2. Go to the 'URL Path' function of your HTTP-Proxy and add '*.wmf' as a pattern match with the 'Rule action' set to Deny, Alarm and Log. If you have not installed MS05-053 yet you should also consider adding '*.emf'.
3. Go to the 'URL Path' function of your HTTP-Proxy and add the following URL's
'*unionseek.com/*'
'*crackz.ws/*'
'*tfcco.com/*'
'*iframeurl.biz/*'
'*beehappyy.biz/*'
as a pattern match with the 'Rule action' set to Deny, Alarm and Log.
http://isc.sans.org/diary.php?storyid=972
http://www.securityfocus.com/bid/16074/info
http://vil.mcafeesecurity.com/vil/content/v_137760.htm
http://www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php
What can you do to protect your network:
1. Go to the 'Body Content Types' of your HTTP-Proxy and add '%0x010009000003%*' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.
2. Go to the 'URL Path' function of your HTTP-Proxy and add '*.wmf' as a pattern match with the 'Rule action' set to Deny, Alarm and Log. If you have not installed MS05-053 yet you should also consider adding '*.emf'.
3. Go to the 'URL Path' function of your HTTP-Proxy and add the following URL's
'*unionseek.com/*'
'*crackz.ws/*'
'*tfcco.com/*'
'*iframeurl.biz/*'
'*beehappyy.biz/*'
as a pattern match with the 'Rule action' set to Deny, Alarm and Log.
posted by Placebo at 11:25 AM
0 Comments:
Post a Comment
<< Home