The latest version of SearchProtect is disabling the DLL blocklist by using a helper binary SPVC32Loader.dll to reset LdrLoadDll's prologue. I've confirmed this with a memory breakpoint. It started happening sometime around: Timestamp: Fri May 23 19:20:46 2014 (537EF6CE) File version: 220.127.116.11 This is causing a number of DLLs that we've recently blocked to appear in crash reports again. That includes SPVC32.dll, libinject.dll, and the MovieMode family. As a reactive fix we could block SPVC32Loader, but it may not hold up in the long term.
Created attachment 8436657 [details] [diff] [review] Blocklist spvc32loader.dll Not sure if we want to take this...
requesting tracking to get on Rel-Man's radar for consideration.
status-firefox30: --- → affected
tracking-firefox30: --- → ?
FWIW, http://www.conduit.com/searchprotect even describes the software as legitimately protecting the user from unwanted search changes. Maybe someone from our side should contact them - http://www.conduit.com/aboutus/contactus - about not undoing our blocking mechanisms as that makes people crash with malware instead?
Could someone from release management take a look at this? We may need to contact SearchProtect. Thanks!
I've emailed the addresses in bugzilla that have conduit.com in them (including email@example.com) and will wait to see if we hear back from them soon. This isn't specific to FF30 since it's an addon and is out of band with release versions. We'll give Conduit a day or two to get back to us but if crash volume rises on issues we know to be resolved with DLL blocking, we can look at taking that SearchProtect DLL block to mitigate the issue, even temporarily, while trying to work this out with them.
tracking-firefox30: ? → ---
(In reply to Robert Kaiser (:firstname.lastname@example.org) from comment #4) > FWIW, http://www.conduit.com/searchprotect even describes the software as > legitimately protecting the user from unwanted search changes. Well, it "protects" users from others changing the settings that the installer just set. We forbid including such services with add-ons and we have been blocking Conduit products for a while. > Maybe someone > from our side should contact them - http://www.conduit.com/aboutus/contactus > - about not undoing our blocking mechanisms as that makes people crash with > malware instead? Some former Conduit products are now managed by a different company. I also sent them a message and am waiting for a reply.
While investigating another bug, I found a copy of Search Protect from June 23. Now they are disabling the blocklist just long enough to load their own software, and re-enabling it afterward. Sigh. I guess it's an improvement.
You need to log in before you can comment on or make changes to this bug.