1450297 - Generic IOC: RtoLUnicode.ioc reported on Firefox 59.0.2

Status: RESOLVED INVALID

(Firefox :: Security, defect)

Description

[Cliff]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce:

Cisco AMP (6.0.5) has reported "Generic IOC: RtoLUnicode.ioc" with the latest release of 59.0.2.  Alerts started when client was upgraded to 59.0.2.
SHA256 of firefox.exe file:  e1010feb5e9d4726c2a8bf092d3f00521cccb2ee7189273eeb8d297a469104b9



Actual results:

Cisco AMP reported the following details below.

Description: A filename was detected containing the right to left unicode character. This causes the character string following the symbol to be displayed in reverse. This is used for displaying languages such as Arabic in the correct way. Seeing this in a filename is very unusual, and is known to be used by the OSX malware Janicab.

File Path:  /C:/Program Files (x86)/Mozilla Firefox/firefox.exe

Command Line Arguments:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe -contentproc --channel=35608.3.1388889114\1419996700 -childID 1 -isForBrowser -intPrefs 6:50|7:-1|34:1000|42:20|43:5|44:10|51:0|57:128|58:10000|63:0|65:400|66:1|67:0|68:0|69:100|74:0|75:120|76:120|159:2|160:1|164:60|165:30|166:512000|175:5000|177:6|191:8192|192:524288|193:5|206:10000|227:24|228:32768|230:0|231:0|240:5|244:1048576|246:100|247:5000|249:600|251:1|260:2000|277:4|281:0|290:60000|308:300|309:30| -boolPrefs 1:0|2:0|4:1|5:0|24:1|27:0|28:1|29:1|31:1|32:1|33:1|36:1|37:0|38:1|41:1|45:1|46:0|47:0|48:1|49:1|50:1|52:0|55:1|56:1|59:0|60:0|61:0|62:0|64:0|70:1|71:1|72:0|73:1|77:1|78:1|79:0|80:0|81:1|82:1|83:0|84:1|87:0|88:0|91:1|92:1|96:1|97:1|98:0|99:1|100:0|101:0|103:0|104:0|105:1|106:1|107:1|110:1|111:1|112:1|113:1|114:1|115:0|116:0|117:0|119:0|120:1|121:1|122:0|123:0|124:0|125:0|127:1|128:0|129:1|130:1|131:1|132:0|133:0|134:1|135:1|136:1|137:1|138:0|139:1|140:1|141:1|142:1|143:1|144:1|145:0|146:1|147:1|148:0|149:1|150:0|152:0|153:0|154:0|155:1|156:1|157:1|158:1|161:1|162:0|172:0|173:0|174:1|178:1|181:0|182:1|184:1|186:0|188:1|194:1|195:0|196:1|197:1|198:0|201:1|205:1|207:1|208:0|210:1|213:0|219:0|220:1|221:0|222:1|225:0|226:0|229:1|232:0|234:1|235:1|237:1|238:0|245:1|248:1|253:0|254:0|255:0|256:1|257:1|258:0|259:1|264:0|267:1|268:1|269:1|270:1|271:1|272:0|273:0|279:0|282:0|283:0|284:1|285:1|286:0|287:1|288:1|289:1|291:0|292:0|294:0|303:1|304:1|305:0|306:0|307:0| -stringPrefs 3:7;release|151:0;|212:3;1.0|223:332;  ¼½¾ǃː̷̸։֊׃״؉؊٪۔܁܂܃܄ᅟᅠ᜵           ​‎‏‐’․‧

 ‹›⁁⁄⁒ ⅓⅔⅕⅖⅗⅘⅙⅚⅛⅜⅝⅞⅟∕∶⎮╱⧶⧸⫻⫽⿰⿱⿲⿳⿴⿵⿶⿷⿸⿹⿺⿻　。〔〕〳゠ㅤ㈝㈞㎮㎯㏆㏟꞉︔︕︿﹝﹞．／｡ﾠ�|224:4;high|278:38;{65130f1f-27d3-4976-884e-dd68d3b2e709}| -schedulerPrefs 0001,2 -greomni C:\Program Files (x86)\Mozilla Firefox\omni.ja -appomni C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja -appdir C:\Program Files (x86)\Mozilla Firefox\browser 35608 \\.\pipe\gecko-crash-server-pipe.35608 tab



Expected results:

NA

Comment 1

[u554753]

I think this might be a security issue, so going to triage as such.

Comment 2

[Mike Conley (:mconley) (:⚙️)]

We no longer pass preferences through the command line arguments to content processes like this, so I believe this should now be fixed. Please re-open if this is an issue.