That would be this posting: http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041032.h tml
I'm willing to bet that this information is not to be trusted, Dave. I'm confident enough and lazy enough that I'm not going to test it. "Preliminary testing reveals that emails containing WMF files can be blocked by filtering for the MIME-encoded WMF header." A) If a blackhat is going to take the effort, even with the Metasploit framework, to create a malformed WMF with a trojan inside, that same blackhat will find it trivial to craft a non-compliant MIME entry in the email. Virus and spam authors ignore MIME standards anyway as a matter of course. "Regarding web-based WMFs, of the three browsers on this system, only IE knows what to do with WMFs." B) This guy is presenting a very weak follow-up on ground already trod by giants. IE as a default browser will open the attachment automagically and the exploit can take place invisibly. The other browsers (Opera, Firefox, et al) will prompt the user as to whether the default application should be used to open the object. The user is then free to self-inflict the malware on themselves by clicking OK. And most users would. Andrew 8( --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.