[Dshield] Well, there they are -- exploits for latest Microsoft vulnerabilities
frank at knobbe.us
Fri Oct 14 02:05:12 GMT 2005
On Fri, 2005-10-14 at 01:02 +0000, Fergie (Paul Ferguson) wrote:
> Microsoft Collaboration Data Objects Buffer Overflow PoC Exploit (MS05-048)
> Only the MS05-048 is considered to be "high risk", but word to
> the wise...
It also appears to be the easiest mitigated. Just have your mail relays
remove or replace the "Content-Class:" header line and you should be
If your mail relay/server doesn't support replacement (most *nix ones
do), you can always stick a *nix box in line before your mail gateway
and use NetSED to replace the Content-Class header. Alternatively, use
Snort-Inline with a replacement rule like this:
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Content-Class
replacement"; content:"content-class:"; nocase;
I'm not sure if NetSED supports bridging, but I don't see why not. So a
drop-in should be fairly easy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20051013/19d1f156/attachment.bin
More information about the list