Blocking of WMF

Tue Mar 17 12:49:07 GMT 2009

On Tue, 17 Mar 2009, Randal, Phil wrote:

> Should be OK (until next WMF vulnerability is discovered) if you have 
> MS09-006 applied.
> 
> http://www.microsoft.com/technet/security/Bulletin/ms09-006.mspx

Oh dear, I hadn't realised there were more recent discoveries of ways to 
exploit WMF.

Sigh.  Thanks, I think.

Possibly permitting "thumbnail.wmf" specifically would be an acceptable 
compromise.  Although I suppose if I wanted to exploit the format, that's 
the sort of filename I would use ...

Jethro.

> 
> Cheers,
> 
> Phil
> 
> --
> Phil Randal | Networks Engineer
> Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
> Services Division
> Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
> Tel: 01432 260160
> email: prandal at herefordshire.gov.uk
> 
> Any opinion expressed in this e-mail or any attached files are those of
> the individual and not necessarily those of Herefordshire Council.
> 
> This e-mail and any attached files are confidential and intended solely
> for the use of the addressee. This communication may contain material
> protected by law from being passed on. If you are not the intended
> recipient and have received this e-mail in error, you are advised that
> any use, dissemination, forwarding, printing or copying of this e-mail
> is strictly prohibited. If you have received this e-mail in error please
> contact the sender immediately and destroy all copies of it.
> 
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jethro
> R Binks
> Sent: 17 March 2009 12:18
> To: mailscanner at lists.mailscanner.info
> Subject: Blocking of WMF
> 
> For a long time we've had the following rule enabled:
> 
> # JKF 01/01/2006 Another Microsoft security vulnerability
> deny    \.wmf$          Windows Metafile security vulnerability
>                         Possible format attack in Windows
> 
> More and more we are finding that .WMFs are being discovered in the
> zipfile that MS Office 2007 documents are composed of.  This MS kb
> article alludes to one particular issue relating to "thumbnail.wmf"
> being
> detected:
> 
>   http://support.microsoft.com/kb/934284
> 
> but we very often see "image1.wmf", "image2.wmf", etc discovered too.
> 
> Very often, the sending user is completely oblivious to the presence of
> images in the document (zip file), nor what to do to remove them or save
> them as something else, and at least in the case of the "thumbnail.wmf" 
> content, this is something that the application itself has generated
> without the user knowing about it.
> 
> So my question is twofold:
> 
> 1. do other sites have this issue and what do they do about it;
> 
> 2. is blocking of .WMF justified these days, given that patches for the
> potential vulnerability have been available for many years now.  Is it
> still being actively exploited?
> 
> Thoughts welcome,
> 
> Jethro.
> 
> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
> .
> Jethro R Binks
> Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!
> 

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK