I made a custom scan that scans operating memory of the computer(running processes) and auto-start.
After doing that scan a few minutes ago, it detected “Threat: HTML:CVE-2004-1050 [Expl]” in “*Process\9c4\firefox.exe\ec33000\1e000”.
The problem is that I could not select any actions to deal with the threat(I assume since Firefox is still running, I’ll try again without it running).
Anyway I did the scan a few times again later except it found nothing.
My question is what happened? Also what does [Expl] mean and what type of threat did Avast find and why is it not showing up again(am I still infected)?
Edit: I tried select and apply an action with firefox closed(by checking the log of the scan result) but the “apply” button was still grayed out and unusable.
You can’t do any of the actions as they relate physical files, you can’t move a memory block to the chest, etc. etc.
This is a block of memory that is loaded into memory by firefox.
The [Expl] = Exploit an HTML exploit from 2004, CVE = Common Vulnerabilities and Exposures. So I doubt it is any real problem, but a consequence of doing a custom scan that included the memory. If your OS and browser are fully up to date then you aren’t vulnerable to this exploit, assuming that it is a good detection.
See http://secunia.com/advisories/cve_reference/CVE-2004-1050/, from this it might have been something like an iframe in a page loaded into memory earlier that triggered it. But it a little difficult to say, I would suggest that you clear your browser cache and close firefox before restarting it.
What is your OS and its SP version, etc. ?
What is your browser and version number ?
I am currently using 64 bit Windows Vista(it’s fully patched, SP2)
Browser I am using Firefox 3.6.8. It seems to be the most up to date(I clicked checked for updates and did not see anything).
However I did recently run a Secunia scan and noticed that my adobe flash player was outdated(by only one patch though, the most recent flash patch came out 3-4 days ago). I’m not sure if it’s because of that but it does say “Threat: HTML:CVE-2004-1050 [Expl]”(so it’s an old 2004 exploit?).
So the problem was simply that it was an old exploit on a web page and I just happened to custom scan at the time I was viewing that page?
Should I be worried about anything? Thanks again for the reply :).
I wouldn’t have thought it was related to flash player, as that would post date the 2440 exploit, however that generally doesn’t stop speculative attempts.
That is my best guess it was something in a browser page that was loaded into memory, but there is no reall way to tell for certain.
I don’t believe you are at risk as your OS is up to date and if you clear your browser cache and restart firefox it should remove anything in memory. You could reboot to be sure, but outside of that I don’t believe you have anything further.
Personally I don’t do memory scans as you can get some weird consequences, mainly with other security applications loading their signatures into memory and they would be detected also (lots of that in the viruses and worms forum). I also tend to stick to non paranoid pre-defined scans, either the Quick or Full System scans.
.