Broadband Tech > Security > Security > Windows MetaFiles still vulnerable

reply to redxii

Re: Windows MetaFiles still vulnerable

[Patterns]
Name = "Kill .WMF [Kye-U]"
Active = TRUE
Bounds = "<*>"
Limit = 256
Match = "*.wmf*"
Replace = "$ALERT(.WMF Extension Killed on:\n\n\u)"

[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL-Killer: Kill WMF Connection [Kye-U] (Out)"
URL = "(^*=(^http://*.(^([a-z]+{2,4})(^/))))*.wmf(*)\1$TST(\1=(^/))"
Match = "*&($CONFIRM(.WMF FILE EXTENSION FOUND\n\nAllow connection to the URL below?\n\n\u\n\1)|$SET(1=URL with .WMF Extension Killed\k))"
Replace = "\1"

Thanks Kye-U. With this, do I still need to disable Windows Picture Viewer?

It would catch most .WMF files I would think. The Web Page Filter kills most standard images with .WMF extension, and the Header Filter catches the connections to *.WMF, this is because heavily encrypted JS files are difficult to match, but their connection requests are out in the open

I would think it is still safe to disable Windows Picture Viewer, or perhaps even associating the .WMF file extension to Notepad (or another file).

bestserials had this wmf exploit but maxthon/IE opened a dialog asking if I wanted to view the WMF file with its associated viewer. I said "No" and the infection was prevented.