Closed Bug 527125 Opened 10 years ago Closed 10 years ago

block calc.dll and its partners

Categories

(Toolkit :: Blocklist Policy Requests, defect)

x86
Windows Vista
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.2 --- beta5-fixed

People

(Reporter: chofmann, Assigned: johnath)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

instances of 
[Bug 467167] Mozilla crashes on startup [@ _PR_MD_SEND ] because of various buggy LSPs

https://bugzilla.mozilla.org/show_bug.cgi?id=467167#c57

and its crashing on its own

/var/www/html/crash_analysis/20091105/20091105_Firefox_3.0.15-core-counts.txt:  calc.dll@0x39e4|EXCEPTION_ACCESS_VIOLATION (15 crashes)
/var/www/html/crash_analysis/20091105/20091105_Firefox_3.0.15-core-counts.txt:  calc.dll@0x3960|EXCEPTION_ACCESS_VIOLATION (13 crashes)
/var/www/html/crash_analysis/20091105/20091105_Firefox_3.6b1-interesting-modules.txt:     31% (4/13) vs.   0% (4/2218) calc.dll
OS: Mac OS X → Windows Vista
I pulled some recent data and it's even more heavily correlated with the _PR_MD_SEND crashes now.

Over the last 3 days the data has looked like this:

     20% (227/1143) vs.   0% (340/93699) calc.dll

     17% (166/997) vs.   0% (307/91800) calc.dll

     25% (295/1158) vs.   0% (465/97540) calc.dll


In all instances it's version 1.0.0.1 that is crashing us. There's a couple of other versions floating around in the crash data, but they seem uncorrelated with any crashes.

Also, it doesn't seem like it's just causing PR_MD_SEND crashes. Other signatures it's correlated with are:

  calc.dll@0x3a4a|EXCEPTION_ACCESS_VIOLATION (69 crashes)
    100% (69/69) vs.   0% (465/97540) calc.dll

  recv|EXCEPTION_ACCESS_VIOLATION (22 crashes)
     27% (6/22) vs.   0% (465/97540) calc.dll

  calc.dll@0x39f0|EXCEPTION_ACCESS_VIOLATION (14 crashes)
    100% (14/14) vs.   0% (465/97540) calc.dll

  calc.dll@0x3a62|EXCEPTION_ACCESS_VIOLATION (12 crashes)
    100% (12/12) vs.   0% (465/97540) calc.dll

  _StrChrA|EXCEPTION_ACCESS_VIOLATION (10 crashes)
     30% (3/10) vs.   0% (465/97540) calc.dll

Ok, no big surprise that crashes in calc.dll are correlated with calc.dll being loaded :)

In all instances it's version 1.0.0.1 which is the correlating version.

Copying the info that chofmann is linking to in comment 0, this doesn't seem like something we should feel particularly bad about blocking:
http://www.greatis.com/appdata/d/SysDir/c/calc.dll.htm
http://www.prevx.com/filenames/263801209745593736-X1/CALC.DLL.html
Component: General → Blocklisting
Product: Firefox → addons.mozilla.org
QA Contact: general → blocklisting
Version: 3.5 Branch → unspecified
I'd like to make sure that component directory lockdown didn't fix this before adding it to the list.
The data from 3.6b3 looks basically the same, and we have the component directory lockdown there, so it hasn't helped.
Indications from the 'net are that this is dropped in the Windows %sysdir% not our components directory. I agree that we should add this to the blocklist. Assigning to johnath.
Assignee: nobody → johnath
Flags: blocking-firefox3.6? → blocking-firefox3.6+
(In reply to comment #3)
> The data from 3.6b3 looks basically the same, and we have the component
> directory lockdown there, so it hasn't helped.

Yep, I agree. McAfee's threat center lists it as a trojan drop for multiple baddies, and it doesn't appear on a default windows install. 

Nevertheless, given:

(In reply to comment #1)
> In all instances it's version 1.0.0.1 that is crashing us. There's a couple of
> other versions floating around in the crash data, but they seem uncorrelated
> with any crashes.
... 
> Ok, no big surprise that crashes in calc.dll are correlated with calc.dll being
> loaded :)
> 
> In all instances it's version 1.0.0.1 which is the correlating version.

this patch just blocks v1.0.0.1. I know a malware author can rev the version number, they can also change names - this tool isn't an antivirus product, it's a tactical response to specific crashers, so I prefer to be as conservative as possible.
Attachment #414849 - Flags: review?(vladimir)
Whiteboard: [has patch][needs review vlad]
Flags: blocking-firefox3.6+ → wanted-firefox3.6+
a192=beltzner
Whiteboard: [has patch][needs review vlad] → [can land 1.9.2]
http://hg.mozilla.org/mozilla-central/rev/18824c6eea24
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.