Interesting. All the allegedly affected emails I've checked have docx attachments, not Adobe or .PDF. It seems incorrect that a signature for Adobe and Reader would be triggering on docx files.
For now, I'm not going to put this in .ign2, but I will exclude the Maildir scanning script from looking at these specific older messages. We'll see what happens from there. Thanks for your feedback. --Mark On Sun, 19 Nov 2017 14:52:36 -0800 Al Varnell <alvarn...@mac.com> wrote: > It's a vulnerability that impacts Adobe Acrobat and Reader for Windows and > Macintosh, specifically a Critical Buffer Access with Incorrect Length Value > that can result in Remote Code Execution. > <https://helpx.adobe.com/security/products/acrobat/apsb17-36.html > <https://helpx.adobe.com/security/products/acrobat/apsb17-36.html>> > > It was added to the ClamAV signature database on Friday and the signature > looks for: > VIRUS NAME: Emf.Exploit.CVE_2017_16395-6376329-0 > TDB: Target:0 > LOGICAL EXPRESSION: (0&1) > * SUBSIG ID 0 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > {WILDCARD_ANY_STRING(LENGTH==36)} EMF > * SUBSIG ID 1 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > <Hex string removed so that this message is not detected as infected> > > -Al- > > On Sun, Nov 19, 2017 at 09:12 AM, Mark Foley wrote: > > For the past couple of days I've been getting notices from clamscan for > > Emf.Exploit.CVE_2017_16395-6376329-0. clamscan is running on the IMAP > > Maildir > > directories and is finding this exploit on emails as old as 2010. > > > > I can find nothing on this exploit searching on the web other than it > > exists. No > > description, etc. Can anyone tell me anything about this? What systems does > > it > > affect (Windows only?) What does it do? Etc. I'll have to decide whether to > > remove these old emails or stick this signature into my .ign2 file. > > > > btw - is there some good website that describes ALL current exploits? > > cve.mitre.org <http://cve.mitre.org/> has a supposed complete list but for > > CVE-2017-16395 all it says > > is: > > > > ** RESERVED ** > > This candidate has been reserved by an organization or individual that > > will use it when announcing a new security problem. When the > > candidate has been publicized, the details for this candidate will be > > provided. > > > > THX --Mark > > -Al- > -- > Al Varnell > Mountain View, CA > > > > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
