Sunday, January 01, 2006

WMF - The story continues

Another WMF exploit has been release:

US-CERT ( is recommending to block the following byte sequences:


Go to the 'Body Content Types' function of your HTTP-Proxy and add '%0x01000900%*', '%0x02000900%*' and '%0xD7CDC69A%*' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.
While your at it you also might want to block 'application/x-msMetafile' with the Content-Type function of your HTTP-Proxy.


Anonymous Anonymous said...

apparently Microsoft recently recompiled their clipart online and it now comes through as WMF-3 body content and is blocked by this rule. I changed my setting from deny to AV Scan and this is now allowed.

Alan Mercer - AKA Darth Tater

4:37 PM  

Post a Comment

<< Home