Html.Exploit.CVE_2016_7190-2

Discussions relating to ClamXav

Moderator: Mark

Html.Exploit.CVE_2016_7190-2

Postby dgkanter » Fri 06 Jan 2017 6:19 am

I see back on 23 Oct 2016, that alvernall reported that Html.Exploit.CVE_2016_7190-1 was a False Positive and that the definitions were being updated to reflect that. I just had my Internet Cache reported by Sentry as being infected in two places with the -2 variant. Has it been determined also to be a False Positive? (Both Sentry and ClamXav report, when doing a Virus Definitions update, that they are up to date.)

David
(ClamXav v2.11/0.99.2 (2835) - Jan 5, 2017 03:20:54; MacBookPro13,3, macOS 10.12.2)
dgkanter
 
Posts: 66
Joined: Tue 11 Apr 2006 7:04 pm

Re: Html.Exploit.CVE_2016_7190-2

Postby alvarnell » Fri 06 Jan 2017 7:30 am

dgkanter wrote:I just had my Internet Cache reported by Sentry as being infected in two places with the -2 variant. Has it been determined also to be a False Positive?
Not at this time. This revised signature was added on Dec 16 by Daily - 22722.

Looking at the description of CVE-2016-7190:
"The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," indicates that it's not a threat to OS X or it's applications.

It's normal for such infections to show up as two parts of your browser cache as the result of visiting an infected web site and can safely be ignored as long as you are not running Edge in a Windows environment.
-Al-
--
iMac(21.5-inch, Mid 2011) 2.8GHz Intel Core i7/OSX 10.10.5, 10.11.6, 10.12.6 & 10.13.6/ClamXAV v3.0.9 (7713)/0.100.2_01
iMac(Retina 5K, 27-inch, 2017) 4.2GHz Intel Core i7/macOS 10.12.6, 10.13.6 & 10.14.5/ClamXAV v3.0.11 (7899)/0.101.2_09
alvarnell
Site Admin
 
Posts: 5509
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Html.Exploit.CVE_2016_7190-2

Postby dgkanter » Fri 06 Jan 2017 3:48 pm

alvarnell wrote:
dgkanter wrote:I just had my Internet Cache reported by Sentry as being infected in two places with the -2 variant. Has it been determined also to be a False Positive?
Not at this time. This revised signature was added on Dec 16 by Daily - 22722.
Looking at the description of CVE-2016-7190:
"The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," indicates that it's not a threat to OS X or it's applications.

It's normal for such infections to show up as two parts of your browser cache as the result of visiting an infected web site and can safely be ignored as long as you are not running Edge in a Windows environment.


Thanks; good to hear; and I don't do anything in any Windows environment.

David
dgkanter
 
Posts: 66
Joined: Tue 11 Apr 2006 7:04 pm

Re: Html.Exploit.CVE_2016_7190-2

Postby Radar1968 » Wed 07 Jun 2017 7:10 pm

This exploit popped up for me the other day when visiting a Wordpress based site.

Has this been updated as a false positive? I can't find 7190-2 specifically anywhere, even Googling it.

Appreciate its Windows Edge / Windows only so as a Mac only user I'm not affected but be nice to know what has happened.

Kind Regards

Radar
Radar1968
 
Posts: 84
Joined: Thu 20 Dec 2012 8:59 pm

Re: Html.Exploit.CVE_2016_7190-2

Postby alvarnell » Wed 07 Jun 2017 7:18 pm

It's still a valid signature and I don't believe anybody else has reported it to the HelpDesk.

If it had been deemed an FP it would have been removed or revised or ClamXav would have been instructed to ignore it.
-Al-
--
iMac(21.5-inch, Mid 2011) 2.8GHz Intel Core i7/OSX 10.10.5, 10.11.6, 10.12.6 & 10.13.6/ClamXAV v3.0.9 (7713)/0.100.2_01
iMac(Retina 5K, 27-inch, 2017) 4.2GHz Intel Core i7/macOS 10.12.6, 10.13.6 & 10.14.5/ClamXAV v3.0.11 (7899)/0.101.2_09
alvarnell
Site Admin
 
Posts: 5509
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Html.Exploit.CVE_2016_7190-2

Postby Radar1968 » Wed 07 Jun 2017 7:54 pm

alvarnell wrote:It's still a valid signature and I don't believe anybody else has reported it to the HelpDesk.

If it had been deemed an FP it would have been removed or revised or ClamXav would have been instructed to ignore it.


Thanks for the usual prompt response.

I'll assume the website is infected and not worry and I'm 'non-Windows'

Would it be worth mw notifying the website?

FYI its: http://thelordsofmidnight.com/blog/
Selecting The Maps and then Midnight causes Sentry to pick it up I believe.

Kind Regards
Radar
Radar1968
 
Posts: 84
Joined: Thu 20 Dec 2012 8:59 pm


Return to ClamXav

Who is online

Users browsing this forum: No registered users

cron