WMF - The story continues
Another WMF exploit has been release:
http://isc.sans.org/diary.php?storyid=992
http://www.frsirt.com/exploits/20051231.ie_xp_pfv_metafile.pm.php
US-CERT (http://www.kb.cert.org/vuls/id/181038) is recommending to block the following byte sequences:
01000900
02000900
D7CDC69A
Go to the 'Body Content Types' function of your HTTP-Proxy and add '%0x01000900%*', '%0x02000900%*' and '%0xD7CDC69A%*' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.
While your at it you also might want to block 'application/x-msMetafile' with the Content-Type function of your HTTP-Proxy.
http://isc.sans.org/diary.php?storyid=992
http://www.frsirt.com/exploits/20051231.ie_xp_pfv_metafile.pm.php
US-CERT (http://www.kb.cert.org/vuls/id/181038) is recommending to block the following byte sequences:
01000900
02000900
D7CDC69A
Go to the 'Body Content Types' function of your HTTP-Proxy and add '%0x01000900%*', '%0x02000900%*' and '%0xD7CDC69A%*' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.
While your at it you also might want to block 'application/x-msMetafile' with the Content-Type function of your HTTP-Proxy.
posted by Placebo at 9:23 PM
1 Comments:
apparently Microsoft recently recompiled their clipart online and it now comes through as WMF-3 body content and is blocked by this rule. I changed my setting from deny to AV Scan and this is now allowed.
Alan Mercer - AKA Darth Tater
Post a Comment
<< Home