Closed Bug 306721 Opened 19 years ago Closed 18 years ago

Application Hijacking has been detected by my Sygate firewall.

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: d.paynter, Unassigned)

Details

(Whiteboard: [sg:needinfo])

Attachments

(2 files)

Firewall log
27.80 KB, text/plain
Details
Response to Comment #2
27.80 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5

The application: C:\Program Files\Mozilla Thunderbird\thunderbird.exe  tried to
launch another application: C:\Program Files\Mozilla Firefox\firefox.exe  to go
to remote host  sympmsnnews.112.2o7.net, even after I closed Thunderbird. This
occured 9 times in a row over 3 minutes, before I blocked all access for
Thunderbird. I am using version 1.0.5 (20050711).

The firewall is Sygate Personal Firewall Version 5.6 Build 2808.

The firewall reports such highjacking when I am at my homepage,
http://sympatico.msn.ca/ and am scanning the news. This is a recent problem,
which is becoming a continuous problem.

Reproducible: Always

Steps to Reproduce:
1. Have the firewall confirm access to the network by both Firefox & Thunderbird.
2. Access the homepage & open a news story in a new tab.
3. The firewall will report Thunderbird activity, as quoted in the Details above.

Actual Results:  
The firewall keeps reporting highjacking, each time to a different site.

Expected Results:  
Thunderbird shouldn't be accessing Firefox, should it?

I'll include the firewall log.
Attached file Firewall log 
I saved the firewall log as a text file so you can see the progression of
events.
This is odd, but does not look like a security attack -- all of the sites
mentioned look like ones you'd normally stumble upon in web surfing. It's also
not so odd for Thunderbird to be loading pages (HTML mail with images? RSS
feeds?), but normally it's not called from Firefox.

sympmsnnews.112.2o7.net in particular is a hit counter, probably on one of the
pages you surf: http://answers.google.com/answers/threadview?id=439961

Thunderbird would launch Firefox when you click on a link in an email or
newsgroup message.

Since Thunderbird and Firefox share the same Mozilla web engine it's
theoretically possible someone could reverse all the settings so that Firefox
uses Thundebird rather than vice versa. I can't think of any way for that to
happen accidentally, and I can't imagine why it would be interesting to do
maliciously. Still, check this for me:

- In Firefox type "about:config" in the location bar (hit Enter).
- type 'protocol-handler' without quotes into the filter box

you should see an "expose-all" set to true, and see individual expose settings
for mailto, news. nntp and snews set to false.  Don't change anything, just
report here if anything is set differently. If any of the protocol-handler
settings are bold and say "user set" in the Status column report that too.
Whiteboard: [sg:needinfo]
Attached file Response to Comment #2 
Bugzilla insists that I attach a file, so here's the log file again.

I checked as you requested: there are no anomalies. 

From your discussion, you seem to think that I'm actually doing something with
Thunderbird when the browser is called up. In fact, the mail application is
idle when this sequence starts. I'm using the browser to read the news, and
somehow the  mail client is getting involved, all by itself and with no input
from me. That's the strange part, and it is quite new: I've been using the
Firefox/Thunderbird combo for several months now, with nothing like this
happening until very recently.
(In reply to comment #3)
> Bugzilla insists that I attach a file, so here's the log file again.
It should only do that if you hit the "Create an attachment" link in the
Attachment table.

> From your discussion, you seem to think that I'm actually doing something with
> Thunderbird when the browser is called up.

Not at all, that's why I had you check the _Firefox_ protocol-handler settings
to see if somehow it was set to ship things to an external app. The next step
would have been to see if Thunderbird was equally messed up. It was a long shot,
but the only rational explanation for the symptoms I could think of.

> idle when this sequence starts. I'm using the browser to read the news, and
> somehow the  mail client is getting involved, all by itself and with no input
> from me. That's the strange part, and it is quite new: I've been using the
> Firefox/Thunderbird combo for several months now, with nothing like this
> happening until very recently.

Did you make any changes at all to your system around the time this started?
Install or upgrade any software or drivers, Thunderbird in particular? Did the
Sygate firewall get upgraded around the time?

The sites listed in the log look like the normal things I'd expect to see if you
were surfing the sites you described. The only bizarre aspect is that your
firewall is claiming that Thunderbird is the app doing the surfing. Is
thunderbird actually getting launched if you've shut it completely down? Is it
opening up? If it opens, what does it display? Does the content show up in
Firefox as well? There is no mechanism for Thunderbird to download stuff and
have it show up in Firefox as part of a page you surfed in Firefox.

Thunderbird can "surf" RSS feeds, do you have any of those set up? That could
generate traffic that looked like that, though it'd hit at fairly random
intervals rather than in response to Firefox traffic.

Have you done any virus or spyware scans?

Thunderbird *will* launch Firefox to load links you click on in mail or RSS
feeds, but not by itself.
(In response to Comments #4)

Agreed.

Understood.

Firefox and Thunderbird were upgraded after the security scare in August.
They've both been working Ok for a couple of weeks before this started. Sygate
hasn't been upgraded for a couple of months, and it too seems to be working OK.
I haven't change any drivers (or anything else other than the definition files
for McAffee, Ad-Aware, Spybot, and Spyblaster) since I installed a new printer
in late June.

"Normally" this happens after I've checked my mail, and am scanning the news. It
doesn't seem to happen at any other time. Sympatico (Ma Bell up here in Canada)
has partnered with MSN and accepts leads from both CTV and the CBC for news
items. I haven't used the browser with Thunderbird closed: I'll try that this
weekend after a fresh boot, and see if the two work together with only Firefox
opened.

I'll give permission for Thunderbird to do what it wants the next time this
happens, and see where it leads.

I have no RSS feeds set up.

After this started I updated all the above noted applications, and ran a full
system scan, with no reported problems.

I've deliberately triggered URLs embedded in mail, and Thunderbird will open
Firefox at that point. The issue here is that I'm not doing anything deliberate
like that, and the firewall reports the application highjack.

Is it possible that the Thunderbird executable has been modified without my
knowledge, or that an active extension has been quietly installed? If so, how do
I check for that?


I tried doing the same browsing without Thunderbird being opened, and nothing
like an application highjacking occured. Since no highjacking occured, I haven't
allowed Thunderbird to do/go where it wants, so that will have to wait until the
trigger (whatever it is) happens.
This bug has unfortunately gone nowhere, haven't heard any similar reports from anyone else either.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: