subject:"\[clamav\-users\] \/home\/gene\/firefox\/browser\/omni.ja\: Html.Exploit.CVE_2017

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-10-26 Thread Tsutomu Oyamada

Thank you Joel.


On Wed, 25 Oct 2017 13:05:42 +
"Joel Esler (jesler)"  wrote:

> This has been dropped as well.
> 
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
> 
> 
> 
> 
> 
> 
> On Oct 24, 2017, at 5:11 AM, Tsutomu Oyamada 
> > wrote:
> 
> Yes,
> I have submit the file many times.
> 
> File name: omni.ja
> SHA256: 5e852b33f716fb6b81bc75d762372a105f04dcdab07a621eddb8507970dbd0b6
> 
> On Mon, 23 Oct 2017 23:48:26 -0700
> Al Varnell > wrote:
> 
> Did you submit a sample of it as a false positive report? If so please reply 
> with a hash value for the file you submitted.
> 
> Sent from my iPhone
> 
> -Al-
> --
> Al Varnell
> Mountain View, CA
> 
> On Oct 23, 2017, at 9:50 PM, Tsutomu Oyamada 
> > wrote:
> 
> Hi, Joel.
> 
> Thank you.
> The issue of false positive for Html.Exploit.CVE_2017_8750-6336209-0 has been 
> solved,
> but the issue of Html.Exploit.CVE_2017_8757-6336185-0 has not been solved yet.
> 
> Could you Drop this signature as well ?
> 
> 
> On Fri, 20 Oct 2017 14:47:24 +
> "Joel Esler (jesler)" > wrote:
> 
> All ?
> 
> This signature has been dropped.
> 
> --
> Joel Esler | Talos: Manager | 
> jes...@cisco.com
> 
> 
> 
> 
> 
> 
> On Oct 20, 2017, at 8:30 AM, Gene Heskett 
> >
>  wrote:
> 
> On Friday 20 October 2017 02:06:38 Al Varnell wrote:
> 
> I assume we are all still talking about
> Html.Exploit.CVE_2017_8750-6336209-0?
> 
> Gene, I believe your report was an omni.ja files infected with
> Html.Exploit.CVE_2017_8757-6336185-0.
> 
> Since it was the same file, I suppose I missed that the CVE had changed.
> Anyway, its the above number I've been looking at every morning for a
> couple weeks. I figured my previous msg was sufficient. My bad.
> 
> They have both been dealt with locally by ClamXAV, but I've not seen
> either listed as dropped by ClamAV yet.
> 
> Different versions of Firefox on different platforms.
> 
> -Al-
> 
> On Thu, Oct 19, 2017 at 10:24 PM, Gene Heskett wrote:
> On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:
> Hi,
> 
> The false positive for omni.ja is still ocurring.
> I have been reported this many times, but it has not fixed yet.
> 
> I have been troubled with this issue.
> What am I supposed to do?
> 
> I too have reported this, but nothing is being done.
> 
> On Sat, 23 Sep 2017 09:53:30 -0400
> 
> Gene Heskett 
> 
>  >
> wrote:
> On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
> note correction in subject file location
> 
> So here are the facts with regard to
> Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
> previously reported in this thread). It was just added to the
> database about fifteen hours ago in daily - 23863 and is looking
> for two strings which you can observer by using the following
> (I'm not posting it here so this e-mail won't be detected as
> infected):
> 
> sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
> --decode-sigs
> 
> CVE-2017-8750 is described as
>  >: "Internet
> Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
> Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
> Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
> 1607, 1703, and Windows Server 2016 allow an attacker to execute
> arbitrary code in the context of the current user due to the way
> that Microsoft browsers access objects in memory, aka "Microsoft
> Browser Memory Corruption Vulnerability"."
> 
> so it's not a threat to your platform unless you are also running
> Windows somehow.
> 
> I've a bounty on windows here, nuke on encounter.
> 
> My power just came back so I scanned my Firefox 55.0.3 for Mac
> and it tested clean. Taking a look at the omni.ja file I see 109
> occurrences of the first string, but not the second.
> 
> So at this point I'll just repeat my advise from before to submit
> that file to  > then return here and report a
> hash value.
> 
> Means to determine hash? I'll assume sha256sum here
> 
> gene@coyote:~/firefox/browser$ sha256sum omni.ja
> 2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348
> omni.ja
> 
> Thanks Al
> 
> On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
> On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
> Power out here so cannot check. Was negative when I looked at
> macOS version last week.
> 
> What OS?
> 
> 32 bit wheezy,on an AMD phenom, all up to date. uname -a
> 
>

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-10-25 Thread Joel Esler (jesler)

This has been dropped as well.

--
Joel Esler | Talos: Manager | jes...@cisco.com

On Oct 24, 2017, at 5:11 AM, Tsutomu Oyamada 
> wrote:

Yes,
I have submit the file many times.

File name: omni.ja
SHA256: 5e852b33f716fb6b81bc75d762372a105f04dcdab07a621eddb8507970dbd0b6

On Mon, 23 Oct 2017 23:48:26 -0700
Al Varnell > wrote:

Did you submit a sample of it as a false positive report? If so please reply 
with a hash value for the file you submitted.

Sent from my iPhone

-Al-
--
Al Varnell
Mountain View, CA

On Oct 23, 2017, at 9:50 PM, Tsutomu Oyamada 
> wrote:

Hi, Joel.

Thank you.
The issue of false positive for Html.Exploit.CVE_2017_8750-6336209-0 has been 
solved,
but the issue of Html.Exploit.CVE_2017_8757-6336185-0 has not been solved yet.

Could you Drop this signature as well ?

On Fri, 20 Oct 2017 14:47:24 +
"Joel Esler (jesler)" > wrote:

All ?

This signature has been dropped.

--
Joel Esler | Talos: Manager | 
jes...@cisco.com

On Oct 20, 2017, at 8:30 AM, Gene Heskett 
>
 wrote:

On Friday 20 October 2017 02:06:38 Al Varnell wrote:

I assume we are all still talking about
Html.Exploit.CVE_2017_8750-6336209-0?

Gene, I believe your report was an omni.ja files infected with
Html.Exploit.CVE_2017_8757-6336185-0.

Since it was the same file, I suppose I missed that the CVE had changed.
Anyway, its the above number I've been looking at every morning for a
couple weeks. I figured my previous msg was sufficient. My bad.

They have both been dealt with locally by ClamXAV, but I've not seen
either listed as dropped by ClamAV yet.

Different versions of Firefox on different platforms.

-Al-

On Thu, Oct 19, 2017 at 10:24 PM, Gene Heskett wrote:
On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:
Hi,

The false positive for omni.ja is still ocurring.
I have been reported this many times, but it has not fixed yet.

I have been troubled with this issue.
What am I supposed to do?

I too have reported this, but nothing is being done.

On Sat, 23 Sep 2017 09:53:30 -0400

Gene Heskett 

>
wrote:
On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
note correction in subject file location

So here are the facts with regard to
Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
previously reported in this thread). It was just added to the
database about fifteen hours ago in daily - 23863 and is looking
for two strings which you can observer by using the following
(I'm not posting it here so this e-mail won't be detected as
infected):

sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
--decode-sigs

CVE-2017-8750 is described as
>: "Internet
Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
1607, 1703, and Windows Server 2016 allow an attacker to execute
arbitrary code in the context of the current user due to the way
that Microsoft browsers access objects in memory, aka "Microsoft
Browser Memory Corruption Vulnerability"."

so it's not a threat to your platform unless you are also running
Windows somehow.

I've a bounty on windows here, nuke on encounter.

My power just came back so I scanned my Firefox 55.0.3 for Mac
and it tested clean. Taking a look at the omni.ja file I see 109
occurrences of the first string, but not the second.

So at this point I'll just repeat my advise from before to submit
that file to > then return here and report a
hash value.

Means to determine hash? I'll assume sha256sum here

gene@coyote:~/firefox/browser$ sha256sum omni.ja
2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348
omni.ja

Thanks Al

On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
Power out here so cannot check. Was negative when I looked at
macOS version last week.

What OS?

32 bit wheezy,on an AMD phenom, all up to date. uname -a

3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
(2017-02-24) x86_64 GNU/Linux

Thank you Al.

Sent from my iPhone

-Al-

Cheers, Gene Heskett

-Al-

Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page >

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-10-24 Thread Tsutomu Oyamada

Yes, 
I have submit the file many times.

File name: omni.ja
SHA256: 5e852b33f716fb6b81bc75d762372a105f04dcdab07a621eddb8507970dbd0b6

On Mon, 23 Oct 2017 23:48:26 -0700
Al Varnell  wrote:

> Did you submit a sample of it as a false positive report? If so please reply 
> with a hash value for the file you submitted. 
> 
> Sent from my iPhone
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
> > On Oct 23, 2017, at 9:50 PM, Tsutomu Oyamada  
> > wrote:
> > 
> > Hi, Joel.
> > 
> > Thank you.
> > The issue of false positive for Html.Exploit.CVE_2017_8750-6336209-0 has 
> > been solved,
> > but the issue of Html.Exploit.CVE_2017_8757-6336185-0 has not been solved 
> > yet.
> > 
> > Could you Drop this signature as well ?
> > 
> > 
> > On Fri, 20 Oct 2017 14:47:24 +
> > "Joel Esler (jesler)"  wrote:
> > 
> >> All ?
> >> 
> >> This signature has been dropped.
> >> 
> >> --
> >> Joel Esler | Talos: Manager | jes...@cisco.com
> >> 
> >> 
> >> 
> >> 
> >> 
> >> 
> >> On Oct 20, 2017, at 8:30 AM, Gene Heskett 
> >> > wrote:
> >> 
> >> On Friday 20 October 2017 02:06:38 Al Varnell wrote:
> >> 
> >> I assume we are all still talking about
> >> Html.Exploit.CVE_2017_8750-6336209-0?
> >> 
> >> Gene, I believe your report was an omni.ja files infected with
> >> Html.Exploit.CVE_2017_8757-6336185-0.
> >> 
> >> Since it was the same file, I suppose I missed that the CVE had changed.
> >> Anyway, its the above number I've been looking at every morning for a
> >> couple weeks. I figured my previous msg was sufficient. My bad.
> >> 
> >> They have both been dealt with locally by ClamXAV, but I've not seen
> >> either listed as dropped by ClamAV yet.
> >> 
> >> Different versions of Firefox on different platforms.
> >> 
> >> -Al-
> >> 
> >> On Thu, Oct 19, 2017 at 10:24 PM, Gene Heskett wrote:
> >> On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:
> >> Hi,
> >> 
> >> The false positive for omni.ja is still ocurring.
> >> I have been reported this many times, but it has not fixed yet.
> >> 
> >> I have been troubled with this issue.
> >> What am I supposed to do?
> >> 
> >> I too have reported this, but nothing is being done.
> >> 
> >> On Sat, 23 Sep 2017 09:53:30 -0400
> >> 
> >> Gene Heskett  
> >> >
> >> wrote:
> >> On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
> >> note correction in subject file location
> >> 
> >> So here are the facts with regard to
> >> Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
> >> previously reported in this thread). It was just added to the
> >> database about fifteen hours ago in daily - 23863 and is looking
> >> for two strings which you can observer by using the following
> >> (I'm not posting it here so this e-mail won't be detected as
> >> infected):
> >> 
> >> sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
> >> --decode-sigs
> >> 
> >> CVE-2017-8750 is described as
> >>  >> >: "Internet
> >> Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
> >> Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
> >> Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
> >> 1607, 1703, and Windows Server 2016 allow an attacker to execute
> >> arbitrary code in the context of the current user due to the way
> >> that Microsoft browsers access objects in memory, aka "Microsoft
> >> Browser Memory Corruption Vulnerability"."
> >> 
> >> so it's not a threat to your platform unless you are also running
> >> Windows somehow.
> >> 
> >> I've a bounty on windows here, nuke on encounter.
> >> 
> >> My power just came back so I scanned my Firefox 55.0.3 for Mac
> >> and it tested clean. Taking a look at the omni.ja file I see 109
> >> occurrences of the first string, but not the second.
> >> 
> >> So at this point I'll just repeat my advise from before to submit
> >> that file to  >> > then return here and report a
> >> hash value.
> >> 
> >> Means to determine hash? I'll assume sha256sum here
> >> 
> >> gene@coyote:~/firefox/browser$ sha256sum omni.ja
> >> 2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348
> >> omni.ja
> >> 
> >> Thanks Al
> >> 
> >> On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
> >> On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
> >> Power out here so cannot check. Was negative when I looked at
> >> macOS version last week.
> >> 
> >> What OS?
> >> 
> >> 32 bit wheezy,on an AMD phenom, all up to date. uname -a
> >> 
> >> 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
> >> (2017-02-24) x86_64 GNU/Linux
> >> 
> >> Thank you Al.
> >> 
> >> Sent from my iPhone
> >> 
> >> -Al-
> >> 
> >> Cheers, Gene

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-10-24 Thread Al Varnell

Did you submit a sample of it as a false positive report? If so please reply 
with a hash value for the file you submitted. 

Sent from my iPhone

-Al-
-- 
Al Varnell
Mountain View, CA

> On Oct 23, 2017, at 9:50 PM, Tsutomu Oyamada  wrote:
> 
> Hi, Joel.
> 
> Thank you.
> The issue of false positive for Html.Exploit.CVE_2017_8750-6336209-0 has been 
> solved,
> but the issue of Html.Exploit.CVE_2017_8757-6336185-0 has not been solved yet.
> 
> Could you Drop this signature as well ?
> 
> 
> On Fri, 20 Oct 2017 14:47:24 +
> "Joel Esler (jesler)"  wrote:
> 
>> All ?
>> 
>> This signature has been dropped.
>> 
>> --
>> Joel Esler | Talos: Manager | jes...@cisco.com
>> 
>> 
>> 
>> 
>> 
>> 
>> On Oct 20, 2017, at 8:30 AM, Gene Heskett 
>> > wrote:
>> 
>> On Friday 20 October 2017 02:06:38 Al Varnell wrote:
>> 
>> I assume we are all still talking about
>> Html.Exploit.CVE_2017_8750-6336209-0?
>> 
>> Gene, I believe your report was an omni.ja files infected with
>> Html.Exploit.CVE_2017_8757-6336185-0.
>> 
>> Since it was the same file, I suppose I missed that the CVE had changed.
>> Anyway, its the above number I've been looking at every morning for a
>> couple weeks. I figured my previous msg was sufficient. My bad.
>> 
>> They have both been dealt with locally by ClamXAV, but I've not seen
>> either listed as dropped by ClamAV yet.
>> 
>> Different versions of Firefox on different platforms.
>> 
>> -Al-
>> 
>> On Thu, Oct 19, 2017 at 10:24 PM, Gene Heskett wrote:
>> On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:
>> Hi,
>> 
>> The false positive for omni.ja is still ocurring.
>> I have been reported this many times, but it has not fixed yet.
>> 
>> I have been troubled with this issue.
>> What am I supposed to do?
>> 
>> I too have reported this, but nothing is being done.
>> 
>> On Sat, 23 Sep 2017 09:53:30 -0400
>> 
>> Gene Heskett  
>> >
>> wrote:
>> On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
>> note correction in subject file location
>> 
>> So here are the facts with regard to
>> Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
>> previously reported in this thread). It was just added to the
>> database about fifteen hours ago in daily - 23863 and is looking
>> for two strings which you can observer by using the following
>> (I'm not posting it here so this e-mail won't be detected as
>> infected):
>> 
>> sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
>> --decode-sigs
>> 
>> CVE-2017-8750 is described as
>> > >: "Internet
>> Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
>> Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
>> Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
>> 1607, 1703, and Windows Server 2016 allow an attacker to execute
>> arbitrary code in the context of the current user due to the way
>> that Microsoft browsers access objects in memory, aka "Microsoft
>> Browser Memory Corruption Vulnerability"."
>> 
>> so it's not a threat to your platform unless you are also running
>> Windows somehow.
>> 
>> I've a bounty on windows here, nuke on encounter.
>> 
>> My power just came back so I scanned my Firefox 55.0.3 for Mac
>> and it tested clean. Taking a look at the omni.ja file I see 109
>> occurrences of the first string, but not the second.
>> 
>> So at this point I'll just repeat my advise from before to submit
>> that file to > > then return here and report a
>> hash value.
>> 
>> Means to determine hash? I'll assume sha256sum here
>> 
>> gene@coyote:~/firefox/browser$ sha256sum omni.ja
>> 2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348
>> omni.ja
>> 
>> Thanks Al
>> 
>> On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
>> On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
>> Power out here so cannot check. Was negative when I looked at
>> macOS version last week.
>> 
>> What OS?
>> 
>> 32 bit wheezy,on an AMD phenom, all up to date. uname -a
>> 
>> 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
>> (2017-02-24) x86_64 GNU/Linux
>> 
>> Thank you Al.
>> 
>> Sent from my iPhone
>> 
>> -Al-
>> 
>> Cheers, Gene Heskett
>> 
>> -Al-
>> 
>> Cheers, Gene Heskett
>> --
>> "There are four boxes to be used in defense of liberty:
>> soap, ballot, jury, and ammo. Please use in that order."
>> -Ed Howdershelt (Author)
>> Genes Web page > >
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> 
>>

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-10-23 Thread Tsutomu Oyamada

Hi, Joel.

Thank you.
The issue of false positive for Html.Exploit.CVE_2017_8750-6336209-0 has been 
solved,
but the issue of Html.Exploit.CVE_2017_8757-6336185-0 has not been solved yet.

Could you Drop this signature as well ?


On Fri, 20 Oct 2017 14:47:24 +
"Joel Esler (jesler)"  wrote:

> All ?
> 
> This signature has been dropped.
> 
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
> 
> 
> 
> 
> 
> 
> On Oct 20, 2017, at 8:30 AM, Gene Heskett 
> > wrote:
> 
> On Friday 20 October 2017 02:06:38 Al Varnell wrote:
> 
> I assume we are all still talking about
> Html.Exploit.CVE_2017_8750-6336209-0?
> 
> Gene, I believe your report was an omni.ja files infected with
> Html.Exploit.CVE_2017_8757-6336185-0.
> 
> Since it was the same file, I suppose I missed that the CVE had changed.
> Anyway, its the above number I've been looking at every morning for a
> couple weeks. I figured my previous msg was sufficient. My bad.
> 
> They have both been dealt with locally by ClamXAV, but I've not seen
> either listed as dropped by ClamAV yet.
> 
> Different versions of Firefox on different platforms.
> 
> -Al-
> 
> On Thu, Oct 19, 2017 at 10:24 PM, Gene Heskett wrote:
> On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:
> Hi,
> 
> The false positive for omni.ja is still ocurring.
> I have been reported this many times, but it has not fixed yet.
> 
> I have been troubled with this issue.
> What am I supposed to do?
> 
> I too have reported this, but nothing is being done.
> 
> On Sat, 23 Sep 2017 09:53:30 -0400
> 
> Gene Heskett  
> >
> wrote:
> On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
> note correction in subject file location
> 
> So here are the facts with regard to
> Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
> previously reported in this thread). It was just added to the
> database about fifteen hours ago in daily - 23863 and is looking
> for two strings which you can observer by using the following
> (I'm not posting it here so this e-mail won't be detected as
> infected):
> 
> sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
> --decode-sigs
> 
> CVE-2017-8750 is described as
>  >: "Internet
> Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
> Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
> Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
> 1607, 1703, and Windows Server 2016 allow an attacker to execute
> arbitrary code in the context of the current user due to the way
> that Microsoft browsers access objects in memory, aka "Microsoft
> Browser Memory Corruption Vulnerability"."
> 
> so it's not a threat to your platform unless you are also running
> Windows somehow.
> 
> I've a bounty on windows here, nuke on encounter.
> 
> My power just came back so I scanned my Firefox 55.0.3 for Mac
> and it tested clean. Taking a look at the omni.ja file I see 109
> occurrences of the first string, but not the second.
> 
> So at this point I'll just repeat my advise from before to submit
> that file to  > then return here and report a
> hash value.
> 
> Means to determine hash? I'll assume sha256sum here
> 
> gene@coyote:~/firefox/browser$ sha256sum omni.ja
> 2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348
> omni.ja
> 
> Thanks Al
> 
> On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
> On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
> Power out here so cannot check. Was negative when I looked at
> macOS version last week.
> 
> What OS?
> 
> 32 bit wheezy,on an AMD phenom, all up to date. uname -a
> 
> 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
> (2017-02-24) x86_64 GNU/Linux
> 
> Thank you Al.
> 
> Sent from my iPhone
> 
> -Al-
> 
> Cheers, Gene Heskett
> 
> -Al-
> 
> Cheers, Gene Heskett
> --
> "There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page  >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> 
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> 
>

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-10-20 Thread Gene Heskett

On Friday 20 October 2017 10:47:24 Joel Esler (jesler) wrote:

> All —
>
> This signature has been dropped.
>
> --
> Joel Esler | Talos: Manager |
> jes...@cisco.com
>
Thank you Joel.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-10-20 Thread Joel Esler (jesler)

All —

This signature has been dropped.

--
Joel Esler | Talos: Manager | jes...@cisco.com

On Oct 20, 2017, at 8:30 AM, Gene Heskett 
> wrote:

On Friday 20 October 2017 02:06:38 Al Varnell wrote:

I assume we are all still talking about
Html.Exploit.CVE_2017_8750-6336209-0?

Gene, I believe your report was an omni.ja files infected with
Html.Exploit.CVE_2017_8757-6336185-0.

Since it was the same file, I suppose I missed that the CVE had changed.
Anyway, its the above number I've been looking at every morning for a
couple weeks. I figured my previous msg was sufficient. My bad.

They have both been dealt with locally by ClamXAV, but I've not seen
either listed as dropped by ClamAV yet.

Different versions of Firefox on different platforms.

-Al-

On Thu, Oct 19, 2017 at 10:24 PM, Gene Heskett wrote:
On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:
Hi,

The false positive for omni.ja is still ocurring.
I have been reported this many times, but it has not fixed yet.

I have been troubled with this issue.
What am I supposed to do?

I too have reported this, but nothing is being done.

On Sat, 23 Sep 2017 09:53:30 -0400

Gene Heskett  
>
wrote:
On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
note correction in subject file location

So here are the facts with regard to
Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
previously reported in this thread). It was just added to the
database about fifteen hours ago in daily - 23863 and is looking
for two strings which you can observer by using the following
(I'm not posting it here so this e-mail won't be detected as
infected):

sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
--decode-sigs

CVE-2017-8750 is described as
>: "Internet
Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
1607, 1703, and Windows Server 2016 allow an attacker to execute
arbitrary code in the context of the current user due to the way
that Microsoft browsers access objects in memory, aka "Microsoft
Browser Memory Corruption Vulnerability"."

so it's not a threat to your platform unless you are also running
Windows somehow.

I've a bounty on windows here, nuke on encounter.

My power just came back so I scanned my Firefox 55.0.3 for Mac
and it tested clean. Taking a look at the omni.ja file I see 109
occurrences of the first string, but not the second.

So at this point I'll just repeat my advise from before to submit
that file to > then return here and report a
hash value.

Means to determine hash? I'll assume sha256sum here

gene@coyote:~/firefox/browser$ sha256sum omni.ja
2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348
omni.ja

Thanks Al

On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
Power out here so cannot check. Was negative when I looked at
macOS version last week.

What OS?

32 bit wheezy,on an AMD phenom, all up to date. uname -a

3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
(2017-02-24) x86_64 GNU/Linux

Thank you Al.

Sent from my iPhone

-Al-

Cheers, Gene Heskett

-Al-

Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page >
___
clamav-users mailing list
clamav-users@lists.clamav.net

http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net

http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Cheers, Gene Heskett

-Al-

Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-10-20 Thread Gene Heskett

On Friday 20 October 2017 02:06:38 Al Varnell wrote:

> I assume we are all still talking about
> Html.Exploit.CVE_2017_8750-6336209-0?
>
> Gene, I believe your report was an omni.ja files infected with
> Html.Exploit.CVE_2017_8757-6336185-0.
>
Since it was the same file, I suppose I missed that the CVE had changed.
Anyway, its the above number I've been looking at every morning for a 
couple weeks. I figured my previous msg was sufficient. My bad.

> They have both been dealt with locally by ClamXAV, but I've not seen
> either listed as dropped by ClamAV yet.
>
> Different versions of Firefox on different platforms.
>
> -Al-
>
> On Thu, Oct 19, 2017 at 10:24 PM, Gene Heskett wrote:
> > On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:
> >> Hi,
> >>
> >> The false positive for omni.ja is still ocurring.
> >> I have been reported this many times, but it has not fixed yet.
> >>
> >> I have been troubled with this issue.
> >> What am I supposed to do?
> >
> > I too have reported this, but nothing is being done.
> >
> >> On Sat, 23 Sep 2017 09:53:30 -0400
> >>
> >> Gene Heskett > 
wrote:
> >>> On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
> >>> note correction in subject file location
> >>>
>  So here are the facts with regard to
>  Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
>  previously reported in this thread). It was just added to the
>  database about fifteen hours ago in daily - 23863 and is looking
>  for two strings which you can observer by using the following
>  (I'm not posting it here so this e-mail won't be detected as
>  infected):
> 
>  sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
>  --decode-sigs
> 
>  CVE-2017-8750 is described as
>    >: "Internet
>  Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
>  Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
>  Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
>  1607, 1703, and Windows Server 2016 allow an attacker to execute
>  arbitrary code in the context of the current user due to the way
>  that Microsoft browsers access objects in memory, aka "Microsoft
>  Browser Memory Corruption Vulnerability"."
> 
>  so it's not a threat to your platform unless you are also running
>  Windows somehow.
> >>>
> >>> I've a bounty on windows here, nuke on encounter.
> >>>
>  My power just came back so I scanned my Firefox 55.0.3 for Mac
>  and it tested clean. Taking a look at the omni.ja file I see 109
>  occurrences of the first string, but not the second.
> 
>  So at this point I'll just repeat my advise from before to submit
>  that file to   > then return here and report a
>  hash value.
> >>>
> >>> Means to determine hash? I'll assume sha256sum here
> >>>
> >>> gene@coyote:~/firefox/browser$ sha256sum omni.ja
> >>> 2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348
> >>> omni.ja
> >>>
> >>> Thanks Al
> >>>
>  On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
> > On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
> >> Power out here so cannot check. Was negative when I looked at
> >> macOS version last week.
> >>
> >> What OS?
> >
> > 32 bit wheezy,on an AMD phenom, all up to date. uname -a
> >
> > 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
> > (2017-02-24) x86_64 GNU/Linux
> >
> > Thank you Al.
> >
> >> Sent from my iPhone
> >>
> >> -Al-
> >
> > Cheers, Gene Heskett
> 
>  -Al-
> >>>
> >>> Cheers, Gene Heskett
> >>> --
> >>> "There are four boxes to be used in defense of liberty:
> >>> soap, ballot, jury, and ammo. Please use in that order."
> >>> -Ed Howdershelt (Author)
> >>> Genes Web page  >>> >
> >>> ___
> >>> clamav-users mailing list
> >>> clamav-users@lists.clamav.net
> >>> 
> >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>>
> >>>
> >>> Help us build a comprehensive ClamAV guide:
> >>> https://github.com/vrtadmin/clamav-faq
> >>>
> >>> http://www.clamav.net/contact.html#ml
> >>
> >> ___
> >> clamav-users mailing list
> >> clamav-users@lists.clamav.net
> >> 
> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>
> >>
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> >
> > Cheers, Gene Heskett
>
> -Al-


Cheers, Gene Heskett
-- 
"There

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-10-20 Thread Al Varnell

I assume we are all still talking about Html.Exploit.CVE_2017_8750-6336209-0? 

Gene, I believe your report was an omni.ja files infected with 
Html.Exploit.CVE_2017_8757-6336185-0.

They have both been dealt with locally by ClamXAV, but I've not seen either 
listed as dropped by ClamAV yet.

Different versions of Firefox on different platforms.

-Al-

On Thu, Oct 19, 2017 at 10:24 PM, Gene Heskett wrote:
> On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:
> 
>> Hi,
>> 
>> The false positive for omni.ja is still ocurring.
>> I have been reported this many times, but it has not fixed yet.
>> 
>> I have been troubled with this issue.
>> What am I supposed to do?
>> 
> I too have reported this, but nothing is being done.
>> 
>> On Sat, 23 Sep 2017 09:53:30 -0400
>> 
>> Gene Heskett > wrote:
>>> On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
>>> note correction in subject file location
>>> 
 So here are the facts with regard to
 Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
 previously reported in this thread). It was just added to the
 database about fifteen hours ago in daily - 23863 and is looking
 for two strings which you can observer by using the following (I'm
 not posting it here so this e-mail won't be detected as infected):
 
 sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
 --decode-sigs
 
 CVE-2017-8750 is described as
 >: "Internet
 Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
 Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
 Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
 1607, 1703, and Windows Server 2016 allow an attacker to execute
 arbitrary code in the context of the current user due to the way
 that Microsoft browsers access objects in memory, aka "Microsoft
 Browser Memory Corruption Vulnerability"."
 
 so it's not a threat to your platform unless you are also running
 Windows somehow.
>>> 
>>> I've a bounty on windows here, nuke on encounter.
>>> 
 My power just came back so I scanned my Firefox 55.0.3 for Mac and
 it tested clean. Taking a look at the omni.ja file I see 109
 occurrences of the first string, but not the second.
 
 So at this point I'll just repeat my advise from before to submit
 that file to > then return here
 and report a hash value.
>>> 
>>> Means to determine hash? I'll assume sha256sum here
>>> 
>>> gene@coyote:~/firefox/browser$ sha256sum omni.ja
>>> 2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348 
>>> omni.ja
>>> 
>>> Thanks Al
>>> 
 On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
> On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
>> Power out here so cannot check. Was negative when I looked at
>> macOS version last week.
>> 
>> What OS?
> 
> 32 bit wheezy,on an AMD phenom, all up to date. uname -a
> 
> 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
> (2017-02-24) x86_64 GNU/Linux
> 
> Thank you Al.
> 
>> Sent from my iPhone
>> 
>> -Al-
> 
> Cheers, Gene Heskett
 
 -Al-
>>> 
>>> Cheers, Gene Heskett
>>> --
>>> "There are four boxes to be used in defense of liberty:
>>> soap, ballot, jury, and ammo. Please use in that order."
>>> -Ed Howdershelt (Author)
>>> Genes Web page >> >
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net 
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net 
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> 
> Cheers, Gene Heskett

-Al-
-- 
Al Varnell
Mountain View, CA







smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-10-19 Thread Gene Heskett

On Friday 20 October 2017 00:24:20 Tsutomu Oyamada wrote:

> Hi,
>
> The false positive for omni.ja is still ocurring.
> I have been reported this many times, but it has not fixed yet.
>
> I have been troubled with this issue.
> What am I supposed to do?
>
I too have reported this, but nothing is being done.
>
> On Sat, 23 Sep 2017 09:53:30 -0400
>
> Gene Heskett  wrote:
> > On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
> > note correction in subject file location
> >
> > > So here are the facts with regard to
> > > Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
> > > previously reported in this thread). It was just added to the
> > > database about fifteen hours ago in daily - 23863 and is looking
> > > for two strings which you can observer by using the following (I'm
> > > not posting it here so this e-mail won't be detected as infected):
> > >
> > > sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool
> > > --decode-sigs
> > >
> > > CVE-2017-8750 is described as
> > > : "Internet
> > > Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1,
> > > Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and
> > > Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511,
> > > 1607, 1703, and Windows Server 2016 allow an attacker to execute
> > > arbitrary code in the context of the current user due to the way
> > > that Microsoft browsers access objects in memory, aka "Microsoft
> > > Browser Memory Corruption Vulnerability"."
> > >
> > > so it's not a threat to your platform unless you are also running
> > > Windows somehow.
> >
> > I've a bounty on windows here, nuke on encounter.
> >
> > > My power just came back so I scanned my Firefox 55.0.3 for Mac and
> > > it tested clean. Taking a look at the omni.ja file I see 109
> > > occurrences of the first string, but not the second.
> > >
> > > So at this point I'll just repeat my advise from before to submit
> > > that file to  then return here
> > > and report a hash value.
> >
> > Means to determine hash? I'll assume sha256sum here
> >
> > gene@coyote:~/firefox/browser$ sha256sum omni.ja
> > 2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348 
> > omni.ja
> >
> > Thanks Al
> >
> > > On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
> > > > On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
> > > >> Power out here so cannot check. Was negative when I looked at
> > > >> macOS version last week.
> > > >>
> > > >> What OS?
> > > >
> > > > 32 bit wheezy,on an AMD phenom, all up to date. uname -a
> > > >
> > > > 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
> > > > (2017-02-24) x86_64 GNU/Linux
> > > >
> > > > Thank you Al.
> > > >
> > > >> Sent from my iPhone
> > > >>
> > > >> -Al-
> > > >
> > > > Cheers, Gene Heskett
> > >
> > > -Al-
> >
> > Cheers, Gene Heskett
> > --
> > "There are four boxes to be used in defense of liberty:
> >  soap, ballot, jury, and ammo. Please use in that order."
> > -Ed Howdershelt (Author)
> > Genes Web page 
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-10-19 Thread Tsutomu Oyamada

Hi,

The false positive for omni.ja is still ocurring.
I have been reported this many times, but it has not fixed yet.

I have been troubled with this issue.
What am I supposed to do?



On Sat, 23 Sep 2017 09:53:30 -0400
Gene Heskett  wrote:

> On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
> note correction in subject file location
> 
> > So here are the facts with regard to
> > Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
> > previously reported in this thread). It was just added to the database
> > about fifteen hours ago in daily - 23863 and is looking for two
> > strings which you can observer by using the following (I'm not posting
> > it here so this e-mail won't be detected as infected):
> >
> > sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool --decode-sigs
> >
> > CVE-2017-8750 is described as
> > : "Internet Explorer
> > in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1
> > and Windows RT 8.1, Windows Server 2012 R2, and Microsoft Edge and
> > Internet Explorer in Windows 10 Gold, 1511, 1607, 1703, and Windows
> > Server 2016 allow an attacker to execute arbitrary code in the context
> > of the current user due to the way that Microsoft browsers access
> > objects in memory, aka "Microsoft Browser Memory Corruption
> > Vulnerability"."
> >
> > so it's not a threat to your platform unless you are also running
> > Windows somehow.
> 
> I've a bounty on windows here, nuke on encounter.
> 
> > My power just came back so I scanned my Firefox 55.0.3 for Mac and it
> > tested clean. Taking a look at the omni.ja file I see 109 occurrences
> > of the first string, but not the second.
> >
> > So at this point I'll just repeat my advise from before to submit that
> > file to  then return here and report
> > a hash value.
> 
> Means to determine hash? I'll assume sha256sum here
> 
> gene@coyote:~/firefox/browser$ sha256sum omni.ja
> 2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348  omni.ja
> 
> Thanks Al
> >
> > On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
> > > On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
> > >> Power out here so cannot check. Was negative when I looked at macOS
> > >> version last week.
> > >>
> > >> What OS?
> > >
> > > 32 bit wheezy,on an AMD phenom, all up to date. uname -a
> > >
> > > 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
> > > (2017-02-24) x86_64 GNU/Linux
> > >
> > > Thank you Al.
> > >
> > >> Sent from my iPhone
> > >>
> > >> -Al-
> > >
> > > Cheers, Gene Heskett
> >
> > -Al-
> 
> 
> Cheers, Gene Heskett
> -- 
> "There are four boxes to be used in defense of liberty:
>  soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

2017-09-23 Thread Gene Heskett

On Saturday 23 September 2017 03:59:17 Al Varnell wrote:
note correction in subject file location

> So here are the facts with regard to
> Html.Exploit.CVE_2017_8750-6336209-0 (which is not the same as
> previously reported in this thread). It was just added to the database
> about fifteen hours ago in daily - 23863 and is looking for two
> strings which you can observer by using the following (I'm not posting
> it here so this e-mail won't be detected as infected):
>
> sigtool -fHtml.Exploit.CVE_2017_8750-6336209-0|sigtool --decode-sigs
>
> CVE-2017-8750 is described as
> : "Internet Explorer
> in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1
> and Windows RT 8.1, Windows Server 2012 R2, and Microsoft Edge and
> Internet Explorer in Windows 10 Gold, 1511, 1607, 1703, and Windows
> Server 2016 allow an attacker to execute arbitrary code in the context
> of the current user due to the way that Microsoft browsers access
> objects in memory, aka "Microsoft Browser Memory Corruption
> Vulnerability"."
>
> so it's not a threat to your platform unless you are also running
> Windows somehow.

I've a bounty on windows here, nuke on encounter.

> My power just came back so I scanned my Firefox 55.0.3 for Mac and it
> tested clean. Taking a look at the omni.ja file I see 109 occurrences
> of the first string, but not the second.
>
> So at this point I'll just repeat my advise from before to submit that
> file to  then return here and report
> a hash value.

Means to determine hash? I'll assume sha256sum here

gene@coyote:~/firefox/browser$ sha256sum omni.ja
2dafa74b0c099130313a9375d433f6d93fb8f672f1620e28221b6573ed0ae348  omni.ja

Thanks Al
>
> On Sat, Sep 23, 2017 at 12:12 AM, Gene Heskett wrote:
> > On Saturday 23 September 2017 02:32:48 Al Varnell wrote:
> >> Power out here so cannot check. Was negative when I looked at macOS
> >> version last week.
> >>
> >> What OS?
> >
> > 32 bit wheezy,on an AMD phenom, all up to date. uname -a
> >
> > 3.16.0-0.bpo.4-amd64 #1 SMP Debian 3.16.39-1+deb8u1~bpo70+1
> > (2017-02-24) x86_64 GNU/Linux
> >
> > Thank you Al.
> >
> >> Sent from my iPhone
> >>
> >> -Al-
> >
> > Cheers, Gene Heskett
>
> -Al-


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

Re: [clamav-users] /home/gene/firefox/browser/omni.ja: Html.Exploit.CVE_2017_8750-6336209-0 FOUND

12 matches

Site Navigation

Mail list logo

Footer information