Bloodhound.Exploit.52 (Flash Player 7) detections

Published: 2005-11-11
Last Updated: 2005-11-12 11:39:57 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
We received a report of multiple alerts from an enterprise Symantec user, the alerts are Bloodhound.Exploit.52 detections, "a heuristic detection for the Flash Player 7 Improper Memory Access Vulnerability, as described in MPSB05-07.

Samples of the files triggering the detections are not available at the moment.

If you're seeing this or any other related alerts please drop us a note.


The submitter has sent the following information;

"We are using Symantec Corporate Edition scan engine: we also use rapid release definition files and the version 11/10/2005 rev. 39 and a version from 11/11/2005 unknown revision. The trick is that you have to have flash player 7.0.19 any newer version of flash player does not trigger the Symantec alert. Hope that helps."

We received a second report, similar to the first. Based on the websites reported at this point, they do not involve any domains I'm familiar with that have been known to dish out malware. More to come!

UPDATE Symantec's write-up says "Files that are detected as Bloodhound.Exploit.52 may be malicious. We suggest that you submit to Symantec Security Response any files that are detected as Bloodhound.Exploit.52.".

FINAL UPDATE - We received this information from a contributor who asked for anonymity - "I checked with my Symantec Technical Account Manager regarding Bloodhound.Exploit.52.  They've only had false positive submissions on that heuristic so they've revised it.  The revised heuristic is available in the Rapid Release definitions.  Certified definitions will have the revised heuristic tomorrow."

Thanks for all the reports.

0 comment(s)


Diary Archives