[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] WMFs blocked with MIME

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] WMFs blocked with MIME
From: Joachim Schipper <j.schipper@xxxxxxxxxx>
Date: Fri, 6 Jan 2006 20:43:41 +0100

On Thu, Jan 05, 2006 at 01:35:36PM -0000, lsi wrote:
> Preliminary testing reveals that emails containing WMF files can be 
> blocked by filtering for the MIME-encoded WMF header.  This approach 
> works even if the file is called WORD.DOC.  The string to check for 
> is:  
> 
> 183GmgAA
> 
> These 8 bytes appear as the first 8 bytes of a MIME-encoded WMF.  
> Thus, blocking all emails with those bytes in will block all emails 
> containing WMFs.  
> 
> This technique can be used with common spam filters.  
> 
> Regarding web-based WMFs, of the three browsers on this system, only 
> IE knows what to do with WMFs.  Fortunately, I don't use IE.  This 
> is, however, one more reason I can use to convince my customers to 
> dump it.  

That depends entirely on what 'MIME encoding' is. Base64? UUencode?
BinHex? Quoted-printable?

This is not to say that it is a bad point, and it can be useful as a
simplistic filter. But it is not more than that - even if you manage to
find patterns for all the above, there are numerous compression methods
that can be used.

                Joachim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] WMFs blocked with MIME
  - From: lsi

Prev by Date: RE[Full-disclosure] WMF Risk Analysis for Win9X anyone ?
Next by Date: [Full-disclosure] FW: myspace - add hundreds of friends instantly and automatically with this awesome tool
Previous by thread: [Full-disclosure] WMFs blocked with MIME
Next by thread: [Full-disclosure] Exploiting WMF (tiny) FAQ
Index(es):
- Date
- Thread