Closed Bug 512406 Opened 12 years ago Closed 12 years ago

Blocklist NPFFAddOn.dll [@ NPFFAddOn.dll@0x11867]

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: morgamic, Assigned: morgamic)

References

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(3 files)

NPFFAddOn.dll needs to be blocklisted for all apps, all versions.  It is adware.
I wrote this up not knowing morgamic was filing a bug...

Per bug 512122 and the sheer rate of crashes coming in, we seem to be getting hit by malware that's latching on to Firefox and causing it to crash. afaict, there is no legit website for "NPFFAddOn.dll" which is installed in a "Internet Saving Optimizer" directory.

We should blocklist this dll immediately, the faster the better. It's clearly causing crashes and has spiked up 10 fold in the last two days.

Please block all versions of NPFFAddOn.dll.

If this turns out to be a legit extension, we can unblock it later after it's no longer crashing us.
INSERT INTO `blplugins` (`name`, `guid`, `min`, `max`, `os`, `xpcomabi`, `description`, `filename`) VALUES (NULL, '{ec8030f7-c20a-464f-9b0e-13a3a9e97384}', NULL, '*', NULL, NULL, NULL, 'NPFFAddOn.dll');
Needs mozilla.com list item at:
http://www.mozilla.com/en-US/blocklist/

Will wait to see what happens tomorrow.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
FWIW, there's been a huge drop (from ~ 5% of reports to just one) in people reporting popup ads that they can't get rid of over the past week.
From looking at infected files from users, this seems to be loaded as a xpcom component instead of a plugin, despite the np prefix.  Plugin blocklisting doesn't affect this case, so we should also blocklist the wrapper extension that is inserting this component.

The extension is usually in C:\Program Files\Internet Saving Optimizer\ and/or C:\Program Files\Media Access Startup on affected machines.
FWIW, we're still seeing crashes but the blocklist may have helped with the popups.
Should we blocklist the extension component too
This is the install.rdf from the Internet Saving Optimizer extension, obtained from a user on support.mozilla.com.

The ID "{2224E955-00E9-4613-A844-CE69FCCAAE91}" should be blocked for all applications, all versions, as well as the name/description of "NP Helper Class".
Severity: normal → critical
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We can't blog extensions based on name, but I could add that for plugins.
(In reply to comment #9)
> We can't blog extensions based on name, but I could add that for plugins.

I don't think that name has ever been used as a plugin, so blocking it there wouldn't do any good.  In any case, the extension ID should be blocked ASAP.
Can we do it on the GUID for the extension part?  Is make much crashing for our users, thus sad.
Keywords: topcrash
Summary: Blocklist NPFFAddOn.dll → Blocklist NPFFAddOn.dll [@ NPFFAddOn.dll@0x11867]
Attached file target blocklist.xml
Added blocklist entry for {2224e955-00e9-4613-a844-ce69fccaae91}.  This should go out in a few hours; waiting for IT.
<emItem id="{2224e955-00e9-4613-a844-ce69fccaae91}"/> is on prod.  Resolving.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
For Firefox 3.5.3 crashes within the last 7 days, NPFFAddOn.dll@0x11867 is #18; for crashes in the last 1 day it's #24, so this seems perhaps to be helping a little bit.  Perhaps it takes the blocklist some time to get updated, especially for people who are crashing a lot?
The blocklist.xml shipped with the application
(http://mxr.mozilla.org/mozilla-central/source/browser/app/blocklist.xml) does
not yet include this update, so new users who crash on startup won't be
protected.
For the last 1 day period, the crashes (Windows Firefox 3.5.3) are back to #14, so I don't think this helped.
Blocks: 494742
dtownsend: see comment 15, please.  Need to update the shipped blocklist.xml ASAP.
Crash Signature: [@ NPFFAddOn.dll@0x11867]
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.