Closed
Bug 1418594
Opened 7 years ago
Closed 6 years ago
Malwarebytes closing Firefox Quantum beta due to "detected exploit ROP gadget attack"
Categories
(External Software Affecting Firefox :: Other, defect, P3)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: stressing, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [AV:Malwarebytes])
Attachments
(1 file)
|
12.17 KB,
image/png
|
Details |
MalwarebytesClosingNewFirefox.PNG
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Build ID: 20171115114231 Steps to reproduce: Opened Firefox, tried to use normally. Firefox Quantum Beta (v. 58.0b4, 64 bit) was being automatically closed by Malwarebytes (v. 3.3.1.2183) today. I had it do this multiple times today, every time with completely different websites open, it's not any specific website. Actual results: Malwarebytes closes it reporting a known exploit. Report below: -Log Details- Protection Event Date: 11/17/17 Protection Event Time: 10:20 PM Log File: 676ab004-cc0f-11e7-b29e-fcaa149c9743.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3287 License: Premium -System Information- OS: Windows 10 (Build 16299.64) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0 -Exploit Data- Affected Application: Mozilla Firefox (and add-ons) Protection Layer: Protection Against OS Security Bypass Protection Technique: Exploit ROP gadget attack blocked The Malwarebytes pop up says: "Exploit automatically blocked Malewarebytes detected and blocked an exploit. It is no longer a threat. Affected Application: Mozilla Firefox Protection layer: Protection against OS security bypass Protection Technique: Exploit ROP gadget attack blocked." Additional information: Malwarebytes version information: Version 3.3.1.2183 Component package version: 1.0.236 Update package version: 1.0.3287 In Firefox, I have a few add-ons/extensions: Cisco Webex extension v. 1.0.12 Lastpass free v. 4.2.1.21 New Tab Override v. 11.0.0 by Soren Hentzschel Stylus v 1.1.5 by Jeremy Schomery uBlock Origin v. 1.14.18 by Raymond Hill Unpaywall v. 1.5 by Impactstory team Firefox crash reports: https://crash-stats.mozilla.com/report/index/81cfeb51-4c3b-4bd6-96d1-a644f2170118 bp-81cfeb51-4c3b-4bd6-96d1-a644f2170118 1/17/2017 9:27 PM - 21:27 https://crash-stats.mozilla.com/report/index/6d61d73c-8e3c-4854-8c41-35f8d2170118 bp-6d61d73c-8e3c-4854-8c41-35f8d2170118 1/17/2017 8:45 PM - 20:45 https://crash-stats.mozilla.com/report/index/a3112137-1faf-40ee-b4aa-6747b2170118 bp-a3112137-1faf-40ee-b4aa-6747b2170118 1/17/2017 8:45 PM - 20:45 https://crash-stats.mozilla.com/report/index/db10f862-0005-46fa-9bcf-a36dd2170118 bp-db10f862-0005-46fa-9bcf-a36dd2170118 1/17/2017 7:33 PM - 19:33 https://crash-stats.mozilla.com/report/index/2da77aa3-6992-43e4-bc64-aea6e2170118 bp-2da77aa3-6992-43e4-bc64-aea6e2170118 1/17/2017 7:32 PM - 19:32 https://crash-stats.mozilla.com/report/index/390f0847-5925-4523-b91b-188ca2170118 bp-390f0847-5925-4523-b91b-188ca2170118 1/17/2017 7:27 PM - 19:27 https://crash-stats.mozilla.com/report/index/5be968e8-b2ca-4762-86e0-be3291171118 bp-5be968e8-b2ca-4762-86e0-be3291171118 11/17/2017 8:12 PM - 20:12 Expected results: Firefox and Malwarebytes should play nicer.
Severity: normal → major
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64
|
||
Updated•7 years ago
|
Component: Untriaged → Other
Product: Firefox → External Software Affecting Firefox
Version: 58 Branch → unspecified
|
||
Comment 1•7 years ago
|
||
Adam, do we have contacts at Malwarebytes?
|
|
||
Updated•7 years ago
|
Whiteboard: [AV:Malwarebytes]
https://forums.malwarebytes.com/topic/215365-firefox-quantum-beta-v-580b4-64b-closed-by-malwarebytes-v-3312183 is the link to my report at malwarebyte's support forums, if you want to talk to them, a staffer is responsive over there. Problem is still existing today. I have disabled all add-ons except LastPass to see if it is one of the less important add-ons causing it. LastPass is pretty essential, I can't disable my password manager and then do things like come here and log in to update you.
|
|
||
Comment 3•7 years ago
|
||
Forgot to needinfo you in comment 1. Do we have contacts at malwarebytes? The staff person from the forum suggested disabling the protection in the malwarebytes preferences, but clearly we should see if we can avoid this problem altogether for all users.
Flags: needinfo?(astevenson)
|
||
Comment 4•7 years ago
|
||
Marco - no not currently, but I'm reaching out and have mentioned this issue. Will report back when I hear from them.
Flags: needinfo?(astevenson)
Just wanted to add a note that disabling "BottomUp ASLR Enforcement", "RET ROP Gadget detection" and "CALL ROP Gadget detection" browser protection resolved the matter completely, so your problem is in one of those 3 specific areas.
|
|
||
Comment 6•7 years ago
|
||
Thanks stressing, so it looks like this problem only affects us if some non-default configurations are enabled in Malwarebytes. It sounds like this won't affect many users.
Severity: major → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
I can confirm this also applies to the exploit protection of Windows 10 1709 and very likely to EMET in older versions. (Shall we change the bug's title?) Specifically, after updating Firefox to version 58.0 stable, had to disable Export address filtering (EAF), Import address filtering (IAF) and Validate stack integrity (StackPivot) in order to be able to launch the browser. Otherwise, it would open and hang most of the interface, even in safe mode. Furthermore, the process would not terminate upon closing, having to force it in the task manager.
(Apologies for adding another comment, but I was unable to edit the previous one:) StackPivot can remain enabled, after all. As such, both Export address filtering (EAF) and Import address filtering (IAF) seem to be the culprits. Also tried to grab a log from windows event viewer with the appropriate view filters, but for some reason, this particular "exploit" attempt does not seem to get logged. Anyway, just to add further information, both system and firefox versions are x64 and exploit protection is applied directly to the executable firefox.exe. Finally, even though this behaviour only occurs with custom anti-exploit settings and thus likely to affect few people, it would be at least interesting to know whether this is really a new bug or just an expected consequence of the changes introduced in version 58.0. Thank you for your time!
|
||
Comment 9•6 years ago
|
||
I have a contact at Malwarebytes and would be happy to make introductions.
|
||
Updated•6 years ago
|
Blocks: injecteject
|
||
Updated•6 years ago
|
|
|
||
Comment 10•6 years ago
|
||
Adam, any news from MalwareBytes? Maybe you can try with Chuck's contact?
Flags: needinfo?(astevenson)
|
|
||
Comment 11•6 years ago
|
||
Marco, nothing since the Dec 4th email chain you are on with their Technical Product Manager. I believe their recommendation for this report is to stick to the recommended settings.
Flags: needinfo?(astevenson)
|
|
||
Comment 12•6 years ago
|
||
(In reply to Adam Stevenson [:adamopenweb] from comment #11) > Marco, nothing since the Dec 4th email chain you are on with their Technical > Product Manager. > > I believe their recommendation for this report is to stick to the > recommended settings. Thanks, I totally forgot about that thread. I guess we can resolve this as WONTFIX, as there's nothing we can do from our side.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•