[clamav-users] Swf.Exploit.CVE_2016_1100-1

[Al Varnell]

I just submitted the following file as a False Positive for signature Swf.Exploit.CVE_2016_1100-1:
c20bf64d43bd2f07e993535fa1b3f497:470810:playerglobal24_0.swc

This file was downloaded from the Adobe Flash Player debug site <https://www.adobe.com/support/flashplayer/debug_downloads.html> and older versions are available from Archived Flash Player versions <https://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html>. 

It is used by developers and included in several Adobe applications (e.g. Adobe Animate CC 201x) and contains a library of available API's for interfacing with Adobe Flash Player. 

This same file or older versions have been found before as infected by Swf.Exploit.CVE_2016_7878-1, Swf.Exploit.CVE_2016_4225-1, Swf.Exploit.CVE_2016_0968-1, Swf.Exploit.CVE_2016_4156-1 and probably others. 

My point in posting it here is that the file is quite commonly found in Adobe applications and on the platforms of developers utilizing Flash Player. Due to the nature of the file I don't think the current approach in attempting to identify a vulnerability based on detection of coding strings is the correct one here when the file is an exhaustive list of all API strings that can be used with Flash Player. I also have to wonder if older versions of this file, containing these strings, aren't already included in the QA database?  I checked all archived versions associated with Flash Player 21 through 24 and they all test as infected.


-Al-
-- 
Al Varnell
Mountain View, CA




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3573 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170113/b4c6e59d/attachment.bin>