Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-09-23 Thread Gene Heskett 
On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
note correction in subject file location

> So here are the facts with regard to
> Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
> previously reported in this thread). It was just added to the database
> about fifteen hours ago in daily - 23863 and is looking for two
> strings which you can observer by using the following (I'm not posting
> it here so this e-mail won't be detected as infected):
>
> sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool --decode-sigs
>
> CVE-2017-8750 is described as
> : "Internet Explorer
> in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1
> and Windows RT 8.1, Windows Server 2012 R2, and Microsoft Edge and
> Internet Explorer in Windows 10 Gold, 1511, 1607, 1703, and Windows
> Server 2016 allow an attacker to execute arbitrary code in the context
> of the current user due to the way that Microsoft browsers access
> objects in memory, aka "Microsoft Browser Memory Corruption
> Vulnerability"."
>
> so it's not a threat to your platform unless you are also running
> Windows somehow.

I've a bounty on windows here, nuke on encounter.

> My power just came back so I scanned my Firefox 55.0.3 for Mac and it
> tested clean. Taking a look at the omni.ja file I see 109 occurrences
> of the first string, but not the second.
>
> So at this point I'll just repeat my advise from before to submit that
> file to  then return here and report
> a hash value.

Means to determine hash? I'll assume sha256sum here

gene@coyote:~/firefox/browser$ sha256sum omni.ja
2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348  omni.ja

Thanks Al
>
> On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
> > On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
> >> Power out here so cannot check. Was negative when I looked at macOS
> >> version last week.
> >>
> >> What OS?
> >
> > 32 bit wheezy,on an AMD phenom, all up to date. uname -a
> >
> > 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
> > (2017-02-24) x86_64 GNU/Linux
> >
> > Thank you Al.
> >
> >> Sent from my iPhone
> >>
> >> -Al-
> >
> > Cheers, Gene Heskett
>
> -Al-


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] /home/gene/Download/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8757-6336185-0 FOUND

2017-09-23 Thread Al Varnell 
So here are the facts with regard to Html.Exploit.CVE_2017_8750-6336209-0 
(which is not the same as previously reported in this thread). It was just 
added to the database about fifteen hours ago in daily - 23863 and is looking 
for two strings which you can observer by using the following (I'm not posting 
it here so this e-mail won't be detected as infected):

sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool --decode-sigs

CVE-2017-8750 is described as :
"Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, 
Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and Microsoft Edge and 
Internet Explorer in Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 
allow an attacker to execute arbitrary code in the context of the current user 
due to the way that Microsoft browsers access objects in memory, aka "Microsoft 
Browser Memory Corruption Vulnerability"."

so it's not a threat to your platform unless you are also running Windows 
somehow.

My power just came back so I scanned my Firefox 55.0.3 for Mac and it tested 
clean. Taking a look at the omni.ja file I see 109 occurrences of the first 
string, but not the second.

So at this point I'll just repeat my advise from before to submit that file to 
 then return here and report a hash value.

-Al-

On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
> On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
> 
>> Power out here so cannot check. Was negative when I looked at macOS
>> version last week.
>> 
>> What OS?
>> 
> 32 bit wheezy,on an AMD phenom, all up to date. uname -a
> 
> 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1 (2017-02-24) 
> x86_64 GNU/Linux
> 
> Thank you Al.
> 
>> Sent from my iPhone
>> 
>> -Al-
> 
> 
> Cheers, Gene Heskett

-Al-
-- 
Al Varnell
Mountain View, CA







smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] /home/gene/Download/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8757-6336185-0 FOUND

2017-09-23 Thread Gene Heskett 
On Saturday 23 September 2017 02:32:48 Al Varnell wrote:

> Power out here so cannot check. Was negative when I looked at macOS
> version last week.
>
> What OS?
>
32 bit wheezy,on an AMD phenom, all up to date. uname -a

3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1 (2017-02-24) 
x86_64 GNU/Linux

Thank you Al.

> Sent from my iPhone
>
> -Al-


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml