Blocking of WMF
Jethro R Binks
jethro.binks at strath.ac.uk
Tue Mar 17 12:18:14 GMT 2009
For a long time we've had the following rule enabled:
# JKF 01/01/2006 Another Microsoft security vulnerability
deny \.wmf$ Windows Metafile security vulnerability
Possible format attack in Windows
More and more we are finding that .WMFs are being discovered in the
zipfile that MS Office 2007 documents are composed of. This MS kb article
alludes to one particular issue relating to "thumbnail.wmf" being
detected:
http://support.microsoft.com/kb/934284
but we very often see "image1.wmf", "image2.wmf", etc discovered too.
Very often, the sending user is completely oblivious to the presence of
images in the document (zip file), nor what to do to remove them or save
them as something else, and at least in the case of the "thumbnail.wmf"
content, this is something that the application itself has generated
without the user knowing about it.
So my question is twofold:
1. do other sites have this issue and what do they do about it;
2. is blocking of .WMF justified these days, given that patches for the
potential vulnerability have been available for many years now. Is it
still being actively exploited?
Thoughts welcome,
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
More information about the MailScanner
mailing list