Blocking of WMF
Mike M
mrm at quantumcc.com
Tue Mar 24 14:55:34 GMT 2009
Jethro R Binks wrote:
> On Tue, 17 Mar 2009, Jethro R Binks wrote:
>
>> but we very often see "image1.wmf", "image2.wmf", etc discovered too.
>>
>> Very often, the sending user is completely oblivious to the presence of
>> images in the document (zip file), nor what to do to remove them or save
>> them as something else, and at least in the case of the "thumbnail.wmf"
>> content, this is something that the application itself has generated
>> without the user knowing about it.
> ...
>
> Neither this, nor the other thread where I mentioned:
>
>> I have often thought that it would useful for MailScanner to have some
>> context when applying the filename rules, to give some flexibility. So
>> for example it might permit all or certain .wmf if it knows it has found
>> them while digging around in an Office 2007 zip doc. Perhaps another
>> field in filename.rules.conf that is a list of context matches
>> ('zip,msofficezip'), with a default of "all contexts".
>
> solicited much response.
>
> I would like to add something else to the mix: when an objectional file in
> an archive is found, that as well as listing the objectional file and the
> reason, that the name of the archive is also available.
>
> I currently have a case in hand where someone has sent several Word and
> Powerpoint documents in one message, and received a rejection from us
> complaining about:
>
>> Report: Possible format attack in Windows (image3.wmf)
>> Report: Possible format attack in Windows (image4.wmf)
>> Report: Possible format attack in Windows (image5.wmf)
>> Report: Possible format attack in Windows (image9.wmf)
>> Report: Possible format attack in Windows (image2.wmf)
>> Report: Possible format attack in Windows (image1.wmf)
>
> but there appears to be no way to know which of the several attachments
> caused the problem, other than to have him send them all individually.
>
> And if someone can point me at a resource that explains the prevelance of
> "image1.wmf", "image2.wmf", etc, in MS Office documents, I'd be grateful.
> (This particular sender insists that his Word documents contained
> absolutely no images, although there's a Powerpoint document in the mix
> too).
>
I don't know why office 2007 documents use .wmf files in them, but
they've gotten so common that I've simply had to allow all .wmf files
since I can't just block them outside of the office documents. It's
unfortunate, but blocking .wmf is becoming equivalent to blocking .docx,
.xlsx and .pptx with the current way MS handles archives and is only
getting worse as more people adopt 2007. It appears as though as long as
your patched, then wmf's are safe, but that's only good until the next
zero day.
I second the request to show in a more apparent way what the source
archive file is when MS detects a file inside an archive that it's blocking.
More information about the MailScanner
mailing list