.wmf vulnerability

Ken A ka at PACIFIC.NET
Thu Dec 29 17:21:40 GMT 2005 

Wess Bechard wrote:

> Ken,
> 
> Filename rules will work without the file command.  
> 
> You will need the file command to use the FileType rules.
> 
> Sincerely,
> 
> Wess

Thanks Wess, I do understand that, but what I'm wondering about is the 
strings returned by the file command are based on /usr/share/file/magic, 
which reports things like perl and shell scripts as executable - so they 
are blocked in the default filetype.rules.conf. I don't want to treat 
them the same as a windows metafile hiding as some innocent .txt file.

Does anyone has a real world filetype.rules.conf file that is a bit more 
permissive than the default, but still catches the windows junk.

Thanks,

Ken A.
Pacific.Net


> 
> On Thu, 2005-12-29 at 08:19 -0800, Ken A wrote:
> 
> 
>>Any suggestions for blocking the latest unpatched remote hole in windows?
>>
>>http://www.us-cert.gov/cas/techalerts/TA05-362A.html
>>
>>I've added \.wmf to filename.rules.conf (under Julian's "More Microsoft 
>>security vulnerabilities"), but I don't have the file command turned on 
>>to use filetype rules.
>>
>>What is the implications of enabling the "File Command =" config option? 
>>Are there any 'gotchas' I should be aware of?
>>
>>Thanks,
>>
>>Ken A
>>Pacific.Net
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>Support MailScanner development - buy the book off the website!
> 
> 
> 
> ___________________________________________
> 
> Wess Bechard
> Information Technology Manager
> eliquidMEDIA International Inc.
> Visit: www.eliquid.com
> Office: 519.973.1930  -  1.800.561.7525
> Fax: 519.253.0337
> Cell: 519.791.9492
> ___________________________________________
> 
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> Support MailScanner development - buy the book off the website!
> 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list