[87706] in North American Network Operators' Group
Re: WMF patch
daemon@ATHENA.MIT.EDU (Robert Boyle)
Thu Jan 5 13:10:59 2006
Date: Thu, 05 Jan 2006 13:10:26 -0500
To: Eric Frazier <eric@dmcontact.com>, nanog@nanog.org
From: Robert Boyle <robert@tellurian.com>
In-Reply-To: <6.1.1.1.2.20060105093357.041e6c70@mail.dmcontact.com>
Errors-To: owner-nanog@merit.edu
At 12:54 PM 1/5/2006, you wrote:
>Thanks Thomas, something really useful. One thing I am still curious
>about, I read that there were other image formats can be used in an
>exploit, GIF, .BMP, .JPG, .TIF can also be used, according to
>F-Secure. I find this a little confusing, if that dll only deals
>with WMF file type then the exploit must not be directly connected
>with that dll Or does that dll handle all of those as well?
>
>But then I found this http://www.pcworld.com/howto/article/0,aid,119993,00.asp
>
>Which makes sense. The way a lot of things I have been seeing go on
>about this they act like WMF is the only format of issue and that
>obviously is not at all true. I would have more likely ignored this
>if it really was only WMF files and the MS patch a week or so away.
I believe Windows uses the file header/descriptor data as well as or
instead of the extension to know how to handle images. Otherwise,
simply renaming/blocking all WMF files would result in an effective
mitigation method.
-Robert
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin
