[clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

Al Varnell alvarnell at mac.com
Tue Oct 24 06:48:26 UTC 2017 

Did you submit a sample of it as a false positive report? If so please reply with a hash value for the file you submitted. 

Sent from my iPhone

-Al-
-- 
Al Varnell
Mountain View, CA

> On Oct 23, 2017, at 9:50 PM, Tsutomu Oyamada <oyamada at promark-inc.com> wrote:
> 
> Hi, Joel.
> 
> Thank you.
> The issue of false positive for Html.Exploit.CVE_2017_8750-6336209-0 has been solved,
> but the issue of Html.Exploit.CVE_2017_8757-6336185-0 has not been solved yet.
> 
> Could you Drop this signature as well ?
> 
> 
> On Fri, 20 Oct 2017 14:47:24 +0000
> "Joel Esler (jesler)" <jesler at cisco.com> wrote:
> 
>> All ?
>> 
>> This signature has been dropped.
>> 
>> --
>> Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>
>> 
>> 
>> 
>> 
>> 
>> 
>> On Oct 20, 2017, at 8:30 AM, Gene Heskett <gheskett at shentel.net<mailto:gheskett at shentel.net>> wrote:
>> 
>> On Friday 20 October 2017 02:06:38 Al Varnell wrote:
>> 
>> I assume we are all still talking about
>> Html.Exploit.CVE_2017_8750-6336209-0?
>> 
>> Gene, I believe your report was an omni.ja files infected with
>> Html.Exploit.CVE_2017_8757-6336185-0.
>> 
>> Since it was the same file, I suppose I missed that the CVE had changed.
>> Anyway, its the above number I've been looking at every morning for a
>> couple weeks. I figured my previous msg was sufficient. My bad.
>> 
>> They have both been dealt with locally by ClamXAV, but I've not seen
>> either listed as dropped by ClamAV yet.
>> 
>> Different versions of Firefox on different platforms.
>> 
>> -Al-
>> 
>> On Thu, Oct 19, 2017 at 10:24 PM, Gene Heskett wrote:
>> On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:
>> Hi,
>> 
>> The false positive for omni.ja is still ocurring.
>> I have been reported this many times, but it has not fixed yet.
>> 
>> I have been troubled with this issue.
>> What am I supposed to do?
>> 
>> I too have reported this, but nothing is being done.
>> 
>> On Sat, 23 Sep 2017 09:53:30 -0400
>> 
>> Gene Heskett <gheskett at shentel.net<mailto:gheskett at shentel.net> <mailto:gheskett at shentel.net>>
>> wrote:
>> On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
>> note correction in subject file location
>> 
>> So here are the facts with regard to
>> Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
>> previously reported in this thread). It was just added to the
>> database about fifteen hours ago in daily - 23863 and is looking
>> for two strings which you can observer by using the following
>> (I'm not posting it here so this e-mail won't be detected as
>> infected):
>> 
>> sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
>> --decode-sigs
>> 
>> CVE-2017-8750 is described as
>> <https://nvd.nist.gov/vuln/detail/CVE-2017-8750
>> <https://nvd.nist.gov/vuln/detail/CVE-2017-8750>>: "Internet
>> Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
>> Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
>> Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
>> 1607, 1703, and Windows Server 2016 allow an attacker to execute
>> arbitrary code in the context of the current user due to the way
>> that Microsoft browsers access objects in memory, aka "Microsoft
>> Browser Memory Corruption Vulnerability"."
>> 
>> so it's not a threat to your platform unless you are also running
>> Windows somehow.
>> 
>> I've a bounty on windows here, nuke on encounter.
>> 
>> My power just came back so I scanned my Firefox 55.0.3 for Mac
>> and it tested clean. Taking a look at the omni.ja file I see 109
>> occurrences of the first string, but not the second.
>> 
>> So at this point I'll just repeat my advise from before to submit
>> that file to <http://www.clamav.net/reports/fp
>> <http://www.clamav.net/reports/fp>> then return here and report a
>> hash value.
>> 
>> Means to determine hash? I'll assume sha256sum here
>> 
>> gene at coyote:~/firefox/browser$ sha256sum omni.ja
>> 2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348
>> omni.ja
>> 
>> Thanks Al
>> 
>> On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
>> On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
>> Power out here so cannot check. Was negative when I looked at
>> macOS version last week.
>> 
>> What OS?
>> 
>> 32 bit wheezy,on an AMD phenom, all up to date. uname -a
>> 
>> 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
>> (2017-02-24) x86_64 GNU/Linux
>> 
>> Thank you Al.
>> 
>> Sent from my iPhone
>> 
>> -Al-
>> 
>> Cheers, Gene Heskett
>> 
>> -Al-
>> 
>> Cheers, Gene Heskett
>> --
>> "There are four boxes to be used in defense of liberty:
>> soap, ballot, jury, and ammo. Please use in that order."
>> -Ed Howdershelt (Author)
>> Genes Web page <http://geneslinuxbox.net:6309/gene
>> <http://geneslinuxbox.net:6309/gene>>
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
>> <mailto:clamav-users at lists.clamav.net>
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
>> <mailto:clamav-users at lists.clamav.net>
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
>> Cheers, Gene Heskett
>> 
>> -Al-
>> 
>> 
>> Cheers, Gene Heskett
>> --
>> "There are four boxes to be used in defense of liberty:
>> soap, ballot, jury, and ammo. Please use in that order."
>> -Ed Howdershelt (Author)
>> Genes Web page <http://geneslinuxbox.net:6309/gene>
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> 
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2366 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20171023/fc93cc0d/attachment.bin>

More information about the clamav-users mailing list