[Esd-l] What file-endings should be stopped for this ?

Mark_Saunders Mark_Saunders at piucorp.com
Wed Feb 27 07:33:01 PST 2002 

Here are a few suggestions:
*.asf
*.asx
*.avi
*.wmd
*.wms
*.wmz
*.wav
*.mp3
*.mpe
*.mpeg
*.mpg
In addition, if your firewall (or Squid, if you use it) supports mime type
blocking, block audio/x-wav, as this is what Nimda uses.

Tommy Lindqvist wrote:

> Yes,
> the mp3 files are obvious choices for this. Mainly what I was wondering is
> what other file endings may be used.
>
> If I underkstood the report correctly, it is script sequences for
> Real Player that is used, so both Mediaplayer of version 7+ and Real player
> would be vulnerable to next generation SirCamm.
>
> ( If I remember correctly, SirCamm fooled the (non)existant security
> in Outlook by calling itself audio/wav even though it was a .exe file. )
>
> Here comes a perfectly valid mediafile correctly identified as audio/wav,
> and the correct application is launched, and then the script starts to run.
>
> Thus the need to poison all kind of files that Mediaplayer/Realplayer opens
> by default.
>
> I do not know all of them, although a good guess would be
> .wav,.mp3,.mpg
>
> Tommy
>
> At 08:56 2002-02-27 -0600, Michael Geier wrote:
> >Well, you can ask yourself "do my users need to be emailing each
> >other .mp3 files?"...
> >
> >1.  ( yes ) find a strong ceiling, a length of rope and a
> >               wobbily chair...
> >2.  ( no  ) poison .mp3, or mangle .mp3 with a strong warning
> >               to your users about .mp3 files, URL-encoding and
> >               Windows Media Player
> >
> >Also, this only effects Windows Media Player (WMP).  Using Winamp,
> >the song actually stops before the first encoded URL.
> >
> >-----Original Message-----
> >From: esd-l-admin at spconnect.com [mailto:esd-l-admin at spconnect.com]On
> >Behalf Of Tommy Lindqvist
> >Sent: Wednesday, February 27, 2002 2:41 AM
> >To: esd-l at spconnect.com
> >Subject: [Esd-l] What file-endings should be stopped for this ?
> >
> >
> >http://www.pc-radio.com/camouflage.html
> >
> >( Windows using commands hidden in mp3-files. ( I do not know
> >what other endings may be used for these kind of players. (
> >realplayer/Mediaplayer)))
> >
> >Regards,
> >
> >Tommy
> >
> >--
> >Systems Manager      |\      _,,,---,,_      Saab Ericsson Space AB
> >Postmaster          /,`.-'`'    -.  ;-;;,_   tommy.lindqvist at space.se
> >                   |,4-  ) )-,_. ,\ (  `'-'  +46 (0)31 735 4391
> >***************   '---''(_/--'  `-'_)
> >Tommy Lindqvist
> >_______________________________________________
> >Esd-l mailing list
> >Esd-l at spconnect.com
> >http://www.spconnect.com/mailman/listinfo/esd-l
> >
> --
> Systems Manager      |\      _,,,---,,_      Saab Ericsson Space AB
> Postmaster          /,`.-'`'    -.  ;-;;,_   tommy.lindqvist at space.se
>                    |,4-  ) )-,_. ,\ (  `'-'  +46 (0)31 735 4391
> ***************   '---''(_/--'  `-'_)
> Tommy Lindqvist
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l

--
mv $win /dev/null

More information about the esd-l mailing list