[clamav-users] Emf.Exploit.CVE_2017_16395-6376329-0

Al Varnell alvarnell at mac.com
Sun Nov 19 22:52:36 UTC 2017 

It's a vulnerability that impacts Adobe Acrobat and Reader for Windows and Macintosh, specifically a Critical Buffer Access with Incorrect Length Value that can result in Remote Code Execution.
<https://helpx.adobe.com/security/products/acrobat/apsb17-36.html <https://helpx.adobe.com/security/products/acrobat/apsb17-36.html>>

It was added to the ClamAV signature database on Friday and the signature looks for:
VIRUS NAME: Emf.Exploit.CVE_2017_16395-6376329-0
TDB: Target:0
LOGICAL EXPRESSION: (0&1)
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
{WILDCARD_ANY_STRING(LENGTH==36)} EMF
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
<Hex string removed so that this message is not detected as infected>

-Al-

On Sun, Nov 19, 2017 at 09:12 AM, Mark Foley wrote:
> For the past couple of days I've been getting notices from clamscan for
> Emf.Exploit.CVE_2017_16395-6376329-0. clamscan is running on the IMAP Maildir
> directories and is finding this exploit on emails as old as 2010.
> 
> I can find nothing on this exploit searching on the web other than it exists. No
> description, etc. Can anyone tell me anything about this? What systems does it
> affect (Windows only?) What does it do? Etc. I'll have to decide whether to
> remove these old emails or stick this signature into my .ign2 file.
> 
> btw - is there some good website that describes ALL current exploits?
> cve.mitre.org <http://cve.mitre.org/> has a supposed complete list but for CVE-2017-16395 all it says
> is:
> 
>  ** RESERVED **
>  This candidate has been reserved by an organization or individual that
>  will use it when announcing a new security problem.  When the
>  candidate has been publicized, the details for this candidate will be
>  provided.
> 
> THX --Mark

-Al-
-- 
Al Varnell
Mountain View, CA




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20171119/8476ead4/attachment.bin>

More information about the clamav-users mailing list