Bug 1841751 and bug 1823412 are examples where malware injects DLLs into Firefox processes. In bug 1841751, the DLL seems unsigned. I also confirmed that I can inject my own unsigned DLL without any problem. I feel like in 2023 we should be safe to block all unsigned DLLs: - possibly behind a pref, to allow easy debugging (e.g. me playing with bug 1841751); - possibly only for recent versions of Windows if we discover old legit unsigned DLLs on older versions. I would guess that most (if not all) injected unsigned DLLs these days are likely to be malicious, at least on recent machines. Of course we should first double check this guess by looking for counterexamples in telemetry (e.g., is the X-Mouse Button Control DLL signed? if not, can we interact with the developer so that they sign it?). Overall, it should improve the user experience (e.g. fewer ads shown by adware) and security (fewer data collected by malware without the user knowing).
Bug 1842541 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Bug 1841751 and bug 1823412 are examples where malware injects DLLs into Firefox processes. In bug 1841751, the DLL seems unsigned. I also confirmed that I can inject my own unsigned DLL without any problem. I feel like in 2023 we should be safe to block all unsigned DLLs: - possibly behind a pref, to allow easy debugging (e.g. me playing with bug 1841751); - possibly only for recent versions of Windows if we discover old legit unsigned DLLs on older versions. I would guess that most (if not all) injected unsigned DLLs these days are likely to be malicious, at least on recent machines. Of course we should first double check this guess by looking for counterexamples in untrusted modules telemetry (e.g., is the X-Mouse Button Control DLL signed? if not, can we interact with the developer so that they sign it?). Overall, it should improve the user experience (e.g. fewer ads shown by adware) and security (fewer data collected by malware without the user knowing).
Bug 1841751 and bug 1823412 are examples where malware injects DLLs into Firefox processes. In bug 1841751, the DLL seems unsigned. I also confirmed that I can inject my own unsigned DLL without any problem. I feel like in 2023 we should be safe to block all unsigned DLLs: - possibly behind a pref, to allow easy debugging (e.g. me playing with bug 1841751); - possibly only for recent versions of Windows if we discover old legit unsigned DLLs on older versions. I would guess that most (if not all) injected unsigned DLLs these days are likely to be malicious, at least on recent machines. Of course we should first double check this guess by looking for counterexamples in untrusted modules telemetry (e.g., is the X-Mouse Button Control DLL signed? if not, can we interact with the developer so that they sign it?). Overall, it should improve the user experience (e.g. fewer ads shown by adware) and security (e.g. fewer data collected by malware without the user knowing).