Open Bug 1417897 Opened 2 years ago Updated 10 months ago

Crash in wslbscrwh64.dll@0x2a740

Categories

(External Software Affecting Firefox :: Other, defect, critical)

Unspecified
Windows 10
defect
Not set
critical

Tracking

(firefox-esr52 wontfix, firefox57 wontfix, firefox58 wontfix, firefox59 affected, firefox62 affected, firefox64 affected)

Tracking Status
firefox-esr52 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- affected
firefox62 --- affected
firefox64 --- affected

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is
report bp-31da64a6-551d-4e20-8d62-7c7c70171115.
=============================================================

Seen while looking at nightly crash stats: http://bit.ly/2yMLEco. Crash is 100% correlated to wslbscrwh64.dll, which appears to be some kind of browser plugin made by GAS Tecnologia.

Top 10 frames of crashing thread:

0 wslbscrwh64.dll wslbscrwh64.dll@0x2a740 
1 user32.dll DispatchHookW 
2 user32.dll _fnHkINLPDEBUGHOOKSTRUCT 
3 ntdll.dll KiUserCallbackDispatch 
4 win32u.dll NtUserPeekMessage 
5  @0xa024f 
6 ntdll.dll NtdllDispatchHook_A 
7 user32.dll PeekMessageW 
8 wslbscrwh64.dll wslbscrwh64.dll@0x27dea 
9 xul.dll nsAppShell::ProcessNextNativeEvent widget/windows/nsAppShell.cpp:379

=============================================================
Crash Signature: [@ wslbscrwh64.dll@0x2a740] → [@ wslbscrwh64.dll@0x2a740] [@ wslbscrwh64.dll@0x60fda]
this is now spiking up since yesterday on 57 release as [@ DispatchHookW] as well with crash reports from over 1000 installations, mainly from pt-br builds. apparently an external update made the situation worse there.

the software causing this (http://www.dieboldnixdorf.com.br/warsaw ?) seems to be similar to trusteer, but for the brazilian market. should we attempt to blocklist the dll an/or reach out to the vendor?
Crash Signature: [@ wslbscrwh64.dll@0x2a740] [@ wslbscrwh64.dll@0x60fda] → [@ wslbscrwh64.dll@0x2a740] [@ wslbscrwh64.dll@0x60fda] [@ DispatchHookW ]
See Also: → 1419418
a brazilian contributor told me, that "it's almost mandatory for us install this software to access Internet banking account. 4 of the most popular banks use it", so blocklisting wouldn't be too great i suppose.
can we attempt to reach out to them (http://www.dieboldnixdorf.com.br/gas-antifraude) instead?
Flags: needinfo?(astevenson)
Reuben - Any ideas of who could help here? I imagine a native speaker would be helpful here.
Flags: needinfo?(reuben.bmo)
¡Hola!

FWIW tweeted at them at https://twitter.com/alex_mayorga/status/956231251974750209

The support form for Warsaw seems to be at http://www.dieboldnixdorf.com.br/contato-antifraude but my Portuguese is almost 0.

¡Gracias!
Alex
Their contact form also exists in English so I tried writing to their support staff. I'll also try calling their US number and emailing their other tech support address later today. 


Bob, might this have anything to do with our changes in 58.0.1? Or are we sure that it's an update from the banking software itself?
Flags: needinfo?(bobowencode)
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #5)
...
> Bob, might this have anything to do with our changes in 58.0.1? Or are we
> sure that it's an update from the banking software itself?

This looks unrelated to the chromium sandbox DLL blocklist that we turned off.
From a quick glance looks like they might be hooking PeekMessageW and messing things up somehow.
Flags: needinfo?(bobowencode)
Hi Marcia, sorry for the delay.

I tried calling them just now but it's off hours so I couldn't reach anyone. I'll try again tomorrow during work hours.
I've tried calling a couple times today but nobody picks up, seems like the number listed here is not watched: http://www.dieboldnixdorf.com.br/contato-antifraude

I've left them a message as well.
Flags: needinfo?(reuben.bmo)
A Diebold analyst reached out to me asking for a raw dump of the crash, since they don't have access to the download in crash-stats.
Flags: needinfo?(mozillamarcia.knous)
(In reply to Reuben Morais [:reuben] from comment #9)
> A Diebold analyst reached out to me asking for a raw dump of the crash,
> since they don't have access to the download in crash-stats.

Thanks Reuben. This is possible, but we have to get permission from a user facing the crash in order to give them a dump. If we can find one and get their permission, then we can provide that information.
Flags: needinfo?(mozillamarcia.knous)
I reached out to a few users to see if I could obtain their permission to pass on a raw dump - will wait and see if I hear back.
Flags: needinfo?(astevenson)
¡Hola Marcia!

Did you hear back form the users?

¡Gracias!
Alex
Flags: needinfo?(mozillamarcia.knous)
(In reply to alex_mayorga from comment #12)
> ¡Hola Marcia!
> 
> Did you hear back form the users?
> 
> ¡Gracias!
> Alex

No, I never did hear back from any users that I sent email to.
Flags: needinfo?(mozillamarcia.knous)
Kasperksy managed to reproduce the crash here and sent details to Diebold. They said they scheduled to fix the problem in their next product update.
Looks as if we have some crashes on 64, but it seems to be one user generating the crashes. There is also a lone crash in one signature in 62.
Crash Signature: [@ wslbscrwh64.dll@0x2a740] [@ wslbscrwh64.dll@0x60fda] [@ DispatchHookW ] → [@ wslbscrwh64.dll@0x2a740] [@ wslbscrwh64.dll@0x60fda] [@ wslbscr64.dll@0x62eca] [@ wslbscrwh64.dll@0x8d992] [@ DispatchHookW ]
You need to log in before you can comment on or make changes to this bug.