Closed Bug 527125 Opened 10 years ago Closed 10 years ago
.dll and its partners
instances of [Bug 467167] Mozilla crashes on startup [@ _PR_MD_SEND ] because of various buggy LSPs https://bugzilla.mozilla.org/show_bug.cgi?id=467167#c57 and its crashing on its own /var/www/html/crash_analysis/20091105/20091105_Firefox_3.0.15-core-counts.txt: calc.dll@0x39e4|EXCEPTION_ACCESS_VIOLATION (15 crashes) /var/www/html/crash_analysis/20091105/20091105_Firefox_3.0.15-core-counts.txt: calc.dll@0x3960|EXCEPTION_ACCESS_VIOLATION (13 crashes) /var/www/html/crash_analysis/20091105/20091105_Firefox_3.6b1-interesting-modules.txt: 31% (4/13) vs. 0% (4/2218) calc.dll
I pulled some recent data and it's even more heavily correlated with the _PR_MD_SEND crashes now. Over the last 3 days the data has looked like this: 20% (227/1143) vs. 0% (340/93699) calc.dll 17% (166/997) vs. 0% (307/91800) calc.dll 25% (295/1158) vs. 0% (465/97540) calc.dll In all instances it's version 18.104.22.168 that is crashing us. There's a couple of other versions floating around in the crash data, but they seem uncorrelated with any crashes. Also, it doesn't seem like it's just causing PR_MD_SEND crashes. Other signatures it's correlated with are: calc.dll@0x3a4a|EXCEPTION_ACCESS_VIOLATION (69 crashes) 100% (69/69) vs. 0% (465/97540) calc.dll recv|EXCEPTION_ACCESS_VIOLATION (22 crashes) 27% (6/22) vs. 0% (465/97540) calc.dll calc.dll@0x39f0|EXCEPTION_ACCESS_VIOLATION (14 crashes) 100% (14/14) vs. 0% (465/97540) calc.dll calc.dll@0x3a62|EXCEPTION_ACCESS_VIOLATION (12 crashes) 100% (12/12) vs. 0% (465/97540) calc.dll _StrChrA|EXCEPTION_ACCESS_VIOLATION (10 crashes) 30% (3/10) vs. 0% (465/97540) calc.dll Ok, no big surprise that crashes in calc.dll are correlated with calc.dll being loaded :) In all instances it's version 22.214.171.124 which is the correlating version. Copying the info that chofmann is linking to in comment 0, this doesn't seem like something we should feel particularly bad about blocking: http://www.greatis.com/appdata/d/SysDir/c/calc.dll.htm http://www.prevx.com/filenames/263801209745593736-X1/CALC.DLL.html
Component: General → Blocklisting
Product: Firefox → addons.mozilla.org
QA Contact: general → blocklisting
Version: 3.5 Branch → unspecified
I'd like to make sure that component directory lockdown didn't fix this before adding it to the list.
The data from 3.6b3 looks basically the same, and we have the component directory lockdown there, so it hasn't helped.
Indications from the 'net are that this is dropped in the Windows %sysdir% not our components directory. I agree that we should add this to the blocklist. Assigning to johnath.
Assignee: nobody → johnath
Flags: blocking-firefox3.6? → blocking-firefox3.6+
(In reply to comment #3) > The data from 3.6b3 looks basically the same, and we have the component > directory lockdown there, so it hasn't helped. Yep, I agree. McAfee's threat center lists it as a trojan drop for multiple baddies, and it doesn't appear on a default windows install. Nevertheless, given: (In reply to comment #1) > In all instances it's version 126.96.36.199 that is crashing us. There's a couple of > other versions floating around in the crash data, but they seem uncorrelated > with any crashes. ... > Ok, no big surprise that crashes in calc.dll are correlated with calc.dll being > loaded :) > > In all instances it's version 188.8.131.52 which is the correlating version. this patch just blocks v184.108.40.206. I know a malware author can rev the version number, they can also change names - this tool isn't an antivirus product, it's a tactical response to specific crashers, so I prefer to be as conservative as possible.
Attachment #414849 - Flags: review?(vladimir)
Whiteboard: [has patch][needs review vlad]
Flags: blocking-firefox3.6+ → wanted-firefox3.6+
Attachment #414849 - Flags: review?(vladimir) → review+
Whiteboard: [has patch][needs review vlad] → [can land 1.9.2]
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.