Wednesday, December 28, 2005

Windows WMF 0-day exploit (updated)

A 0-day exploit against the Windows Graphics Rendering Engine has been posted on Bugtraq. For more information see:

http://isc.sans.org/diary.php?storyid=972
http://www.securityfocus.com/bid/16074/info
http://vil.mcafeesecurity.com/vil/content/v_137760.htm
http://www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php

What can you do to protect your network:

1. Go to the 'Body Content Types' of your HTTP-Proxy and add '%0x010009000003%*' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.
2. Go to the 'URL Path' function of your HTTP-Proxy and add '*.wmf' as a pattern match with the 'Rule action' set to Deny, Alarm and Log. If you have not installed MS05-053 yet you should also consider adding '*.emf'.
3. Go to the 'URL Path' function of your HTTP-Proxy and add the following URL's

'*unionseek.com/*'
'*crackz.ws/*'
'*tfcco.com/*'
'*iframeurl.biz/*'
'*beehappyy.biz/*'

as a pattern match with the 'Rule action' set to Deny, Alarm and Log.

0 Comments:

Post a Comment

<< Home