<I work for ISS.>
ISS products protect against attempts to exploit the WMF vulnerability.
The protection module in these products parses all of the major
protocols as well as the most of the major file formats as they cross
the network.
So, for example, the products can parse SMTP, find the MIME encoded
message, find the BASE64 encoded WMF file attached as "harmless.gif",
normalize the BASE64, recognize that the attachment is a WMF file in
spite of its name, parse the WMF file, and recognize the combination of
features an intruder might use to exploit a vulnerable system and block
the traffic if they are present.
As another example, the products can parse HTTP, recognize the download
of a compressed (or deflated) harmless.html, decompress (or inflate) it,
recognize that it is actually a WMF file, and once again recognize the
combination of features an intruder might use to exploit a vulnerable
system and block the traffic if they are present.
If you use the Desktop Protector product, you have additional layers of
protection (that is, protection in depth). The product's buffer overflow
protection provides protection against some of the exploits. Likewise,
the behavioral A/V component also recognizes and quarantines most of the
known exploits (and if the past is any indication of the future) most of
the unknown exploits.
Paul
-----Original Message-----
From: Sam Evans [mailto:wintrmte@gmail.com]
Sent: Wednesday, January 04, 2006 5:43 PM
To: focus-ids@securityfocus.com
Subject: WMF and IPS products?
I am curious if any of the major IPS vendors are able to successfully
protect workstations from downloading malicious WMF content?
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
