Copy link to clipboard
Copied
While viewing a thread in the Adobe forums my Avast! Antivirus blocked a script running in Firefox. It attempted to download a trojan to my PC.
The source of the script was: http://forums.adobe.com/4.5.6/resources/scripts/gen/220b1b06a29F901e1d24252ac800883e.js.
The infection was: JS:Blacole-AV [Trj]
EDIT: It is happening more frequently now from various links. Like: http://forums.adobe.com/community/coldfusion
Message was edited by: bswanwick
Copy link to clipboard
Copied
Thank you for the information. We are invesitigating it now.
Copy link to clipboard
Copied
Is anyone else seeing this? We have a case opened with Jive to investigate it.
Copy link to clipboard
Copied
Have not encountered such, over about 1/2 dozen Adobe Forums - so far.
Hunt
Copy link to clipboard
Copied
No, I'm fully protected by the same AV bswanwick is, and I'm not seeing any malware.
Edit: I just verified (via IE9's F12 Developer Tools) that I am indeed loading:
/4.5.6/resources/scripts/gen/220b1b06a29f901e1d24252ac800883e.js
Whether we all get the data from the same servers is not certain.
-Noel
Copy link to clipboard
Copied
Almost positive this is a false-positive from Avast. Jive support is bringing in their engineering and hosting people for more investigation.
Copy link to clipboard
Copied
Not able to duplicate this with the latest update from Avast. Can you provide me with the current virus definition you have and the current program version?
Thanks!
Copy link to clipboard
Copied
From Jive support:
We have concluded that this was an issue with the virus definitions of Avast (#120828-1). If you update to the newest virus definitions (currently #120828-2), you should not receive the warning anymore as it has fixed the problem. This was a simple false positive, so there is no need to worry about infected computers due to this.
Copy link to clipboard
Copied
John,
We have concluded that this was an issue with the virus definitions of Avast (#120828-1). If you update to the newest virus definitions (currently #120828-2), you should not receive the warning anymore as it has fixed the problem.
Good to know, and thank you for reporting.
Appreciated,
Hunt
Copy link to clipboard
Copied
Perhaps the threat wasn't fase-positive according to this link:
<http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html>
Copy link to clipboard
Copied
Why is it some one finds a bug/exploit and rather than notfying the Software Manufacturers on the QT, instead publishes it all for to see including the bad guys. Guaranteeing that the exploit will be used.
I'm sure there are people heare smart enough to use it and might even consider it. And someone has provided a link on howto create it.
I'm not smart enough, just looking as the code given makes me zone out and gives hradache looking at it.
Copy link to clipboard
Copied
Nothing to do with me. I was simply saying that bswanwick didn't have "false-positive" as suggested above because this was announced all over the place on the web. Yes avast is not a good anti-virus but it is dangerous to discount everything as false-positive when Jive might be under attach from outside NOT from USERs here.
Copy link to clipboard
Copied
What makes you think Avast! is not good?
-Noel
Copy link to clipboard
Copied
I wasn't referring to you. I was referring to the person who created the link to start with.
And BTW: In my post I made it sound like the forum visitors would use the code. I'm sure the folks here are honorable enough not to use it. I know I wouldn't even if I could make sense of the code.
Copy link to clipboard
Copied
mytaxsite.co.uk wrote:
Perhaps the threat wasn't fase-positive according to this link:
<http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-y et.html>
This is about the well-publicized vulnerability in Java 1.7; Jive does not use Java, to the best of my knowledge. (Java is not related to JavaScript in any way.)
Copy link to clipboard
Copied
As of this morning I am on virus definition 120829-0 and can confirm that I am no longer receiving any messages from Avast! while browsing the Adobe forums.
Copy link to clipboard
Copied
Thank you for reporting the definitions version and the state of things now.
Good luck,
Hunt
Copy link to clipboard
Copied
Security Alert for CVE-2012-4681 released August 30, 2012 by Oracle to address 3 distinct but related vulnerabilities (CVE-2012-4681, CVE-2012-1682 and CVE-2012-3136) and one security issue (CVE-2012-0547) affecting Java running in desktop browsers.
These - high severity - vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. This malware may in some instances be detected by current antivirus signatures upon its installation.
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121
Copy link to clipboard
Copied
Thanks for the info, Rick, but... What's the relationship you're seeing between these announcements and this thread? I thought we'd written this off as a false positive.
-Noel
Copy link to clipboard
Copied
I was just following @mytaxsite's post #9 above concerning there might've been something more than just a 'simple false positive' as concluded by Jive support.
If it was so then why is it that the referenced page isn't available since then?
While I think there might've been a redirecting attempt, it was probably 'to' and not 'from' that Adobe page, originated by a malicious javascript on bswanwick's FF browser?
Anyway, without further information (if reported to Avast!) from @bswanwick there's nothing else to add but that I'm glad he is (and the forums) Ok.
______________________________________________________
PD.- Security researchers' reports on the BlackHole Kit to exploit Java (and others) flaws - Did you read the latest?
http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/
Copy link to clipboard
Copied
RickCP wrote:
PD.- Security researchers' reports on the BlackHole Kit to exploit Java (and others) flaws - Did you read the latest?
http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched _java/
But how is this related to this topic, or this forum?