Open
Bug 1419418
Opened 5 years ago
Updated 6 months ago
Investigate why core.exe is our second most common accessibility OOP client
Categories
(Core :: Disability Access APIs, enhancement, P3)
Tracking
()
NEW
People
(Reporter: jimm, Unassigned)
References
(Blocks 1 open bug)
Details
See this data - https://sql.telemetry.mozilla.org/queries/48848#131661 I'm tempted to just block this outright but we should investigate first.
|
||
Comment 1•5 years ago
|
||
Do we have any established contacts?
Flags: needinfo?(mitaylor)
Flags: needinfo?(dchinniah)
Flags: needinfo?(astevenson)
|
Reporter | |
Updated•5 years ago
|
Summary: Investigate why core.exe (Electronic Arts) is our second most common accessibility OOP client → Investigate why core.exe (Electronic Arts Download Manager) is our second most common accessibility OOP client
|
|
Reporter | |
Comment 2•5 years ago
|
||
Lets get this installed and do some testing to see if there are performance issues.
|
||
Comment 3•5 years ago
|
||
David - We have a mailing list with EA, sent you a DM about getting added to it.
Flags: needinfo?(mitaylor)
Flags: needinfo?(dchinniah)
Flags: needinfo?(astevenson)
| Comment hidden (offtopic) |
|
|
Reporter | |
Comment 5•5 years ago
|
||
I've been testing working with the Origin application [1], which is the current rev of the EA Download Manager desktop app. So far no luck getting accessibility to turn on due to this. I played a free game and poked around various options and settings. Note there is a switch in settings for "browser integration" which is on. Testing with Firefox 57 set as the default. I do not see a core.exe running though, so maybe these clients have a different revision of this EA software. [1] https://www.origin.com/ Tracy would you please do some additional discovery work here - try to find a rev of this EA Download Manager software that installs a 'core.exe' and turns on a11y in the default browser. Please test with 57.
Flags: needinfo?(twalker)
|
||
Comment 6•5 years ago
|
||
Here's a query that lists all the versions of core.exe as an a11y instantiator: https://sql.telemetry.mozilla.org/queries/49500/source I'll try reproducing this today.
|
|
||
Comment 7•5 years ago
|
||
I made initial EA contact directly via a common friend, and have cc'ed you Jim.
|
|
Reporter | |
Comment 8•5 years ago
|
||
According to some comments on a file id site, this gets installed with 'EA Link'.
|
||
Comment 9•5 years ago
|
||
Hey Jim, I'm Thomas from EA. Do you have any more details on which file it is? Core.exe? Do you have a version number or any other information, like a screenshot of specifc settings of EADM that were used to repro this problem?
Flags: needinfo?(tbruckschlegel)
|
|
Reporter | |
Comment 10•5 years ago
|
||
(In reply to Thomas Bruckschlegel from comment #9) > Hey Jim, > > I'm Thomas from EA. Do you have any more details on which file it is? > Core.exe? Do you have a version number or any other information, like a > screenshot of specifc settings of EADM that were used to repro this problem? Hi Thomas, Thanks for checking in here. We're not sure what EA application is involved, what we have an exe name (core.exe) and version info - core.exe - 2.8.4.40465, population:1861340 core.exe - 2.8.4.40478, population:647490 core.exe - 2.8.4.40429, population:36050 core.exe - 2.8.4.40408, population:14680 core.exe - 2.7.3.6798, population:5530 core.exe - 2.8.3.10739, population:4390 core.exe - 2.8.4.36998, population:2530 core.exe - 2.8.3.15291, population:2430 core.exe - 2.8.3.15131, population:2190 core.exe - 2.8.3.19208, population:1450 core.exe - 2.8.1.12822, population:1030 core.exe - 2.8.4.40460, population:890 core.exe - 2.8.4.40453, population:810 core.exe - 2.7.6.1364, population:470 core.exe - 2.8.4.40412, population:300 core.exe - 2.8.2.3691, population:130 core.exe - 2.8.1.2134, population:100 core.exe - 2.8.1.3919, population:70 core.exe - 2.8.4.40394, population:30 We know accessibility apis are in use for all of these users and our internal accessibility library provides the information above related what application triggered accessibility use. We've been trying to reproduce using various Origin apps but so far have not had any luck. Do you have idea what products this might involve? Any idea why EA game software would consume apis designed for desktop automation and the visually impaired? Thanks for the help!
|
|
||
Comment 11•5 years ago
|
||
Core.exe was found in an old EA application, but the version number was higher. I did a quick check with http://processchecker.com/file/Core.exe.html Looks like this app is what you are looking for: F:\Arquivos de programas\Diebold\Warsaw\core.exe GAS Tecnologia - Protection GAS Tecnologia LTDA 2.8.3.10739 62161 41D89D7D6B32961B3961DD0A41785854
Flags: needinfo?(tbruckschlegel)
|
|
Reporter | |
Comment 12•5 years ago
|
||
(In reply to Thomas Bruckschlegel from comment #11) > Core.exe was found in an old EA application, but the version number was > higher. I did a quick check with This is very helpful, so you can confirm this application is not an EA app based on the version information? > > http://processchecker.com/file/Core.exe.html > > Looks like this app is what you are looking for: > > F:\Arquivos de programas\Diebold\Warsaw\core.exe GAS Tecnologia - > Protection GAS Tecnologia LTDA 2.8.3.10739 62161 > 41D89D7D6B32961B3961DD0A41785854 We kinda ruled smaller apps and malware out due to the high incidence rate, but sounds like we should reconsider. Thanks.
|
|
Reporter | |
Updated•5 years ago
|
Flags: needinfo?(tbruckschlegel)
|
|
||
Comment 13•5 years ago
|
||
(In reply to Jim Mathies [:jimm] from comment #12) > (In reply to Thomas Bruckschlegel from comment #11) > > Core.exe was found in an old EA application, but the version number was > > higher. I did a quick check with > > This is very helpful, so you can confirm this application is not an EA app > based on the version information? > > > > > http://processchecker.com/file/Core.exe.html > > > > Looks like this app is what you are looking for: > > > > F:\Arquivos de programas\Diebold\Warsaw\core.exe GAS Tecnologia - > > Protection GAS Tecnologia LTDA 2.8.3.10739 62161 > > 41D89D7D6B32961B3961DD0A41785854 > > We kinda ruled smaller apps and malware out due to the high incidence rate, > but sounds like we should reconsider. Thanks. Yes, the versin number scheme does not match the scheme EA was using that long ago and core.exe is no longer part of our current Origin product.
Flags: needinfo?(tbruckschlegel)
|
|
Reporter | |
Comment 14•5 years ago
|
||
(In reply to Thomas Bruckschlegel from comment #13) > Yes, the versin number scheme does not match the scheme EA was using that > long ago and core.exe is no longer part of our current Origin product. Thanks!
status-firefox59:
affected → ---
Flags: needinfo?(twalker)
OS: Unspecified → Windows
Hardware: Unspecified → All
Summary: Investigate why core.exe (Electronic Arts Download Manager) is our second most common accessibility OOP client → Investigate why core.exe is our second most common accessibility OOP client
|
|
||
Comment 16•5 years ago
|
||
Warsaw 1.3.1 is a program developed by GAS Tecnologia. Upon installation and setup, it defines an auto-start registry entry which makes this program run on each Windows boot for all user logins. It adds a background controller service that is set to automatically run. Delaying the start of this service is possible through the service manager. The software is designed to connect to the Internet and adds a Windows Firewall exception in order to do so without being interfered with. The main program executable is core.exe. The software installer includes 27 files and is usually about 8.04 MB (8,434,614 bytes). In comparison to the total number of users, most PCs are running the OS Windows 7 (SP1) as well as Windows 8. While about 94% of users of Warsaw come from Brazil, it is also popular in the United States and France. It seems this is used mostly by banks in Brazil. However, it is also reported as malware. I haven't had any luck findign a way to install the software; I am still investigating.
|
|
Reporter | |
Comment 17•5 years ago
|
||
(In reply to David Bolter [:davidb] (NeedInfo me for attention) from comment #15) > Thank you indeed. Let's block this. If this is banking related, we should figure out what this does before blocking. It may be a required piece of some sort of bank access security software.
|
|
||
Comment 18•5 years ago
|
||
In continuing to research, I have come up with a loose hypothesis that this is actually malware that got installed on systems during a massive DNS breach of a major Brazilian financial company. see https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/ Malware may have been added to anyone using those bank(s) online services that particular Saturday during the breach window. My theory is this core.exe was part of that malware package. Not much to back up the theory though.
|
|
||
Comment 19•5 years ago
|
||
quote from the above linked wired article: "Aside from mere phishing, the spoofed sites also infected victims with a malware download that disguised itself as an update to the Trusteer browser security plug-in that the Brazilian bank offered customers. According to Kaspersky's analysis, the malware harvests not just banking logins—from the Brazilian banks as well as eight others—but also email and FTP credentials, as well as contact lists from Outlook and Exchange, all of which went to a command-and-control server hosted in Canada. The Trojan also included a function meant to disable antivirus software; for infected victims, it may have persisted far beyond the five-hour window when the attack occurred." These attackers were extremely clever using multiple vectors. I don't think we'll ever know completely what happened. But I think we should probably just block core.exe.
|
|
||
Updated•5 years ago
|
Priority: P2 → P1
|
|
||
Comment 20•5 years ago
|
||
Seems like this is a one-liner fix to add core.exe here https://searchfox.org/mozilla-central/rev/ff462a7f6b4dd3c3fdc53c9bc0b328f42a5b3d2b/accessible/windows/msaa/LazyInstantiator.cpp#181 Jim are we worried about blocking legit versions of core.exe?
Flags: needinfo?(jmathies)
|
|
Reporter | |
Comment 21•5 years ago
|
||
(In reply to David Bolter [:davidb] (NeedInfo me for attention) from comment #20) > Seems like this is a one-liner fix to add core.exe here > https://searchfox.org/mozilla-central/rev/ > ff462a7f6b4dd3c3fdc53c9bc0b328f42a5b3d2b/accessible/windows/msaa/ > LazyInstantiator.cpp#181 > > Jim are we worried about blocking legit versions of core.exe? Yeah I don't think our confidence level is very high here. If this is banking software doing something useful we don't want to block it.
Flags: needinfo?(jmathies)
|
||
Comment 22•5 years ago
|
||
core.exe as accessibility client is also present in the crashes from bug 1417897, where another module of that software is causing a crash spike for brazilian users since yesterday.
See Also: → 1417897
|
|
||
Comment 23•5 years ago
|
||
(In reply to Tracy Walker [:tracy] from comment #16) > I haven't had any luck findign a way to install the software; I am still investigating. at http://www.dieboldnixdorf.com.br/warsaw once you select an institution, it would provide download links for the software.
|
||
Comment 24•5 years ago
|
||
This is also linked to from the individual banks' websites, eg: https://seg.bb.com.br/home.html
|
||
Updated•6 months ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•