Sunday, January 01, 2006

WMF - The story continues

Another WMF exploit has been release:

http://isc.sans.org/diary.php?storyid=992
http://www.frsirt.com/exploits/20051231.ie_xp_pfv_metafile.pm.php

US-CERT (http://www.kb.cert.org/vuls/id/181038) is recommending to block the following byte sequences:

01000900
02000900
D7CDC69A

Go to the 'Body Content Types' function of your HTTP-Proxy and add '%0x01000900%*', '%0x02000900%*' and '%0xD7CDC69A%*' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.
While your at it you also might want to block 'application/x-msMetafile' with the Content-Type function of your HTTP-Proxy.

1 Comments:

Anonymous Anonymous said...

apparently Microsoft recently recompiled their clipart online and it now comes through as WMF-3 body content and is blocked by this rule. I changed my setting from deny to AV Scan and this is now allowed.

Alan Mercer - AKA Darth Tater

4:37 PM  

Post a Comment

<< Home