I guess everyones heard about the jpeg vulnerability in certain Microsoft products? CERT have put out an advisory, and it is being ranked as critical.
Now I know that strictly speaking this isn't a virus, its a vulnerability - but there have been, in the past, signatures added for some exploits (eg. the Iframe exploit). So my question is, is it practicable to create a signature for this (I have no idea how signatures are created)? AFAIK theres no public exploit circulating for this yet, but I'd guess its going to happen... This page gives more details on the actual vulnerability... http://seclists.org/lists/fulldisclosure/2004/Sep/0509.html It looks like there are two possible four byte sequences that can trigger the exploit. I guess this is probably too small to avoid an unacceptable level of false positives(?) Presumably this could be combined with the 'magic' numbers for jpeg files to improve this, but still maybe not narrow enough? I'm trying to find out whether there is a particular place the comment field occurs, but the documentation is not very easy to understand without background knowledge. >From my perspective having clam detect this would be ideal, since both our email and http scanners use clam as a detection engine. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
