Blocking of WMF

Tue Mar 24 14:55:34 GMT 2009

Jethro R Binks wrote:
> On Tue, 17 Mar 2009, Jethro R Binks wrote:
> 
>> but we very often see "image1.wmf", "image2.wmf", etc discovered too.
>>
>> Very often, the sending user is completely oblivious to the presence of 
>> images in the document (zip file), nor what to do to remove them or save 
>> them as something else, and at least in the case of the "thumbnail.wmf" 
>> content, this is something that the application itself has generated 
>> without the user knowing about it.
> ...
> 
> Neither this, nor the other thread where I mentioned:
> 
>> I have often thought that it would useful for MailScanner to have some 
>> context when applying the filename rules, to give some flexibility.  So 
>> for example it might permit all or certain .wmf if it knows it has found 
>> them while digging around in an Office 2007 zip doc.  Perhaps another 
>> field in filename.rules.conf that is a list of context matches 
>> ('zip,msofficezip'), with a default of "all contexts".
> 
> solicited much response.
> 
> I would like to add something else to the mix: when an objectional file in 
> an archive is found, that as well as listing the objectional file and the 
> reason, that the name of the archive is also available.
> 
> I currently have a case in hand where someone has sent several Word and 
> Powerpoint documents in one message, and received a rejection from us 
> complaining about:
> 
>> Report: Possible format attack in Windows (image3.wmf)
>> Report: Possible format attack in Windows (image4.wmf)
>> Report: Possible format attack in Windows (image5.wmf)
>> Report: Possible format attack in Windows (image9.wmf)
>> Report: Possible format attack in Windows (image2.wmf)
>> Report: Possible format attack in Windows (image1.wmf)
> 
> but there appears to be no way to know which of the several attachments 
> caused the problem, other than to have him send them all individually.
> 
> And if someone can point me at a resource that explains the prevelance of 
> "image1.wmf", "image2.wmf", etc, in MS Office documents, I'd be grateful.  
> (This particular sender insists that his Word documents contained 
> absolutely no images, although there's a Powerpoint document in the mix 
> too).
> 

I don't know why office 2007 documents use .wmf files in them, but 
they've gotten so common that I've simply had to allow all .wmf files 
since I can't just block them outside of the office documents.  It's 
unfortunate, but blocking .wmf is becoming equivalent to blocking .docx, 
.xlsx and .pptx with the current way MS handles archives and is only 
getting worse as more people adopt 2007. It appears as though as long as 
your patched, then wmf's are safe, but that's only good until the next 
zero day.

I second the request to show in a more apparent way what the source 
archive file is when MS detects a file inside an archive that it's blocking.