<I work for ISS.> ISS products protect against attempts to exploit the WMF vulnerability.
The protection module in these products parses all of the major protocols as well as the most of the major file formats as they cross the network. So, for example, the products can parse SMTP, find the MIME encoded message, find the BASE64 encoded WMF file attached as "harmless.gif", normalize the BASE64, recognize that the attachment is a WMF file in spite of its name, parse the WMF file, and recognize the combination of features an intruder might use to exploit a vulnerable system and block the traffic if they are present. As another example, the products can parse HTTP, recognize the download of a compressed (or deflated) harmless.html, decompress (or inflate) it, recognize that it is actually a WMF file, and once again recognize the combination of features an intruder might use to exploit a vulnerable system and block the traffic if they are present. If you use the Desktop Protector product, you have additional layers of protection (that is, protection in depth). The product's buffer overflow protection provides protection against some of the exploits. Likewise, the behavioral A/V component also recognizes and quarantines most of the known exploits (and if the past is any indication of the future) most of the unknown exploits. Paul -----Original Message----- From: Sam Evans [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 5:43 PM To: [email protected] Subject: WMF and IPS products? I am curious if any of the major IPS vendors are able to successfully protect workstations from downloading malicious WMF content? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
