Thursday, February 16, 2006

MS06-005 prevention

Yesterday the security bulletin: MS06-005
Today the exploit: WMP BMP Handling Buffer Overflow Exploit

Off course the first solution is the patch. But if you did not yet have the time to test/deploy the patch you can use the following rules to protect your network.

1. Go to the 'Body Content Types' of your HTTP-Proxy and add '%0x424D%*' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.
2. Go to the 'URL Path' function of your HTTP-Proxy and add '*.bmp' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.

Wednesday, February 08, 2006

You better keep blocking WMF file's

Microsoft has released a new security advisory describing a new vulnerability in older versions of Internet Explorer. Again a 'a specially crafted Windows Metafile (WMF) image' could allow remote code execution.
Still using?:

Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium.

Then you better keep the following 'Body Content type' rules in place:

WMF - 1: (MS06-001) (Also add *.wmf to "URL paths")
%0x01000900%*

WMF - 2:
%0x02000900%*

MS advisory

Friday, February 03, 2006

Body Content Type rules

I have a nice virus collection on my test computer, looking at the headers of all those little critters I found out that the default "Windows EXE/DLL" "Body Content Type" rule is far from sufficient for blocking executable content. I think it was build to block ActiveX (in combination with the "Windows CAB archive" rule) and it does a reasonable good job at that.
If you want to go further and also like to block other executable content, you may want to consider the following rules. TEST these rules before setting them to deny in a production environment. I have had no false positives from these rules yet. But your organization may have specific needs.
The best way to test is to set the rules action to allow and enable alarm and log

All the rules are Pattern matches:

EXE - Windows NE format:
%0x4d5a50000200000004000f00ffff0000%*

EXE - FSG packed:
%0x4d5a000000000000000000005045%*

EXE - NSpacked:
%0x4d5a40000100000002000000ffff0000%*

EXE - Upacked
%0x4d5a4b45524e454c33322e444c4c%*

EXE - undefined packer:
%0x4d5a80000100000004001000ffff0000%*

CHM (Compiled Help File) (MS04-025) (Also add *.chm to "URL paths")
%0x495453460300000060%*

WMF - 1: (MS06-001) (Also add *.wmf to "URL paths")
%0x01000900%*

WMF - 2:
%0x02000900%*

I also have a rule:

EXE - generic
%0x4d5a%*

For me this also did not trigger any false positives, but it maybe far to rigours for you.

Not related to fighting viruses but also nice are:

7-Zip archive:
%0x377abcaf271c%*

RAR archive (Also add *.rar to "URL paths"):
%0x526172211A%*

ZIP archive multivolume:
%0x504b0708%*

InstallShield file:
%0x49536328%*

BitTorrent Link:
%0x64383A616E6E6F756E6365%*

MP3 (Only blocks MP3's with a ID3v2 tag) (Also add *.mp3 to "URL paths")
%0x4944330300000000%*

OGG (Also add *.ogg to "URL paths")
%0x4F676753%*