[Community-sigs] CVE-2014-0503

Shaun Hurley shahurle at sourcefire.com
Wed Jul 15 17:21:16 EDT 2015


Sorry for the inconvenience. I've added the responses to your questions
based on the bullet number.

1. The PUA documentation on the site is out of date. Exploits are certainly
unwanted, but  the rate of false positives for detection may both be high
and unavoidable. At times, we'll add these high FP CVEs as PUA just to
ensure that the detection is available if the user wants to enable the PUA

2. This signature, in general, probably should not have been added. The
method of exploitation would be better detected based on some kind of
network IDS versus a file AV scanner. I am uncertain as to why we didn't
get the FP you reported through the clamav.net/report/fp page.

3. Currently, those are the only methods to disable rules. I believe there
are third party tools (Clamtk) that can be used to disable rules, but those
all end up editing the signature files. I'll pass on the suggestion to the
development team.

I've dropped the signature. The database should be updated by EOD today.

Please let me know if there are any other questions or issues.

Shaun Hurley
Cisco Malware Research

On Wed, Jul 15, 2015 at 1:45 PM, Leonardo Tancredi <leotancredi at gmail.com>

> Hello,
> I would like some feedback on two issues regarding the signature for
> CVE-2014-0503:
>    1. Why is it classified as PUA (PUA.HTML.Exploit.CVE_2014_0503) when
>    this is a vulnerability and the signature's name says it detects its
>    "exploit"? I think there's nothing "potentially" unwanted about
> exploits,
>    they're pretty much as unwanted as a virus or trojan; they can be useful
>    for security specialists but not for most people . Furthermore, there's
> no
>    mention of PUA.HTML in the PUA Documentation Page
>    <http://www.clamav.net/doc/pua.html>.
>    2. The signature for CVE-2014-0503 is:
> PUA.HTML.Exploit.CVE_2014_0503:3:*:3c656d626564{-50}7372633d{-50}3030{-50}2e737766
>    which amounts to a regular expression like:
>       <embed.{0,50}src=.{0,50}00.{0,50}\.swf
>    which matches completely innocent web pages containing strings like this
>    one:
>      <embed src="somepath/somename150x100.swf"
>    I saw that false positives in PUA signatures are not welcome at the old
>    contact form (http://cgi.clamav.net/sendvirus.cgi). I reported this on
>    July 7 2015 through http://www.clamav.net/report/fp which has no such
>    restriction, with concrete examples of this problem happening in real
>    pages, but got no answer.
> For cases like this one, in which there are a lot of false positives, there
> should be some way for the clamav user to disable specific signatures
> without having to disable the whole PUA collection and without having to
> edit the signatures file (if that is even possible, idk).
> Thanks.
> LT
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> http://www.clamav.net/contact.html#ml

More information about the Community-sigs mailing list