Jump to content
MitchHellman

[SOLVED] Fire-IE plugin for Firefox

Recommended Posts

For the past week or so, MBAE has randomly shown a warning message about an exploit attempt, and then closed Firefox. When I start up Firefox again, sometimes the warning and closure will repeat immediately, but other times everything functions normally. Occasionally, I will get the warning message as I am *closing* Firefox. There doesn't appear to be any specific action on my part or on Firefox's to cause the warning and closure; sometimes it occurs without any action at all. If I stop MBAE's protection, Firefox works without any problem. I suppose this could be an actual warning of a blocked exploit attempt, but it happens too frequently (and on more than one network) for me to believe that the warnings are not false positives.

Here are my vital statistics: I'm on a Dell Inspiron 17 5000 Series with an 4th gen Intel i7 chip and 8 gigs of RAM under Windows 7 Pro. I am using MBAE 1.05.1.1016 and Firefox 34.0; a zipped copy of the entire MBAE logs directory folder is attached.

applications.zip

Share this post


Link to post
Share on other sites

Can you please try completely closing (or uninstalling) PerfectGuard from Raxco, rebooting and trying again?

Share this post


Link to post
Share on other sites

Per your request, I uninstalled PerfectGuard and rebooted. After turning on MBAE protection, I started Firefox and the same problem occurred. I restarted Firefox, then ran FRST again. The two files are attached. BTW: if I recall correctly, the MBAE/Firefox problem started before I installed PerfectGuard.

 

Thanks again.

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Thanks for the quick turn-around Mitch.

 

The only other two items that stand out as potential conflicts would be the following:

 

() C:\Program Files (x86)\HddLed\hddled.exe
() C:\Program Files (x86)\HddLed\hddledd.exe

 

(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe

(SwapDrive, Inc.) C:\Program Files (x86)\QuickBooks Online Backup\OnlineBackup.exe

 

Could you please try stopping the service of HddLed (and closing its traybar icon if present) and trying again?

 

If that doesn't work, please do the same with QuickBooks and its online backup (service and traybar icons) and try again.

Share this post


Link to post
Share on other sites

Sorry for the delay in replying to your message.

I uninstalled hddled and the behavior remains unchanged.

 

I have had Quickbooks since day 1. i will try to stop it, but it may be a bit tricky as there Are several processes related to it...and I need it too much to consider uninstalling it.

 

The latest FRST logs are attached.

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

I ended the onlinebackup.exe process and stopped the QBCFMonitorService.exe and QBIDPService.exe services. I did not reboot after these actions, as they will automatically re-start if I do. The problem is still occurring; here are two new FRST Files:

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Thanks for the logs and running these tests Mitch. Nothing out of the ordinary stands out from your logs. It should be working without a problem.

 

Could you try creating a new Firefox profile without all the plugins and extensions to see if it works then?

Share this post


Link to post
Share on other sites

Closing this thread as solved for lack of activity.

 

Mitch if you'd like e to re-open it simply send me a PM.

Share this post


Link to post
Share on other sites

Re-opening as per request and posting here Mitch's PM:

 

----------

I was on vacation and didn't return to the computer until Friday. Based on your suggestion about a Firefox add-on being the possible source of my problem, I disabled one add-on and re-started Firefox; when the problem surfaced again, I would re-start Firefox, go to the add-ons, enable the one that I had previously disabled, then disable the next add-on, re-start the computer, then wait for it to happen again.

 

The one that *appears* to be the culprit is Fire IE, an IE-tab sort of extension. So far, it's been running without incident. Fingers crossed...

--------

 

I'll keep the thread unlocked for a few days to see if the problem is resolved without that add-on. We'll also test it in-house.

Share this post


Link to post
Share on other sites

I had similar problems with Fire IE extension conflicting with Malwarebytes Anti-Exploit free. Initially I was unable to narrow down the cause, and had to unistall MBAE until finding the cause. Today, I found this thread and after noticing I have the conflicting Fire IE extension I decided to give it another try. The problem is, I really need Fire IE so I wondered why there is this conflict. So, I installed Fire IE again and this time I set it to OOPP mode (set dom.ipc.plugins.enabled.npfireie32.dll to true in about:config), then restarted Firefox. No more execution halts since then. Yes, Fire IE doesn't run in plugin-container.exe, it runs in firefox.exe by default. This is due stability and other issues. Fortunately the latest beta version of Fire IE is alerady pretty stable and decently fast in OOPP mode, but there are still some nasty issues preventing OOPP enable by default. 

Fire IE source code is hosted here:   https://github.com/yxl/Fire-IE/

Share this post


Link to post
Share on other sites

I opened an issue report to Fire IE regarding this topic here:

https://github.com/yxl/Fire-IE/issues/153

@patwonder mentions a hack in ATL DEP hook to get ActiveX controls written with ATL 7.1 or older working through DEP as the cause. The source code of this module is in these 2 files:

https://github.com/yxl/Fire-IE/blob/master/plugin/BrowserHook/AtlDepHook.h

https://github.com/yxl/Fire-IE/blob/master/plugin/BrowserHook/AtlDepHook.cpp

Share this post


Link to post
Share on other sites

We're having a hard time reproducing this issue. Do you have any ideas, special configurations or specific webpages you think trigger the MBAE alert?

Share this post


Link to post
Share on other sites

I made some tests and I think I know why you can't reproduce. The default settings of Fire IE 0.4.4 or older are as follows:

-OOPP disabled;

-IE Compatibility Mode set to IE7 Standards Mode. 

It has already been determined that if OOPP is enabled exploit alert isn't fired.

So the only difference is made by the IE Compatibility mode. When this is raised to any IE8 mode or higher the exploit alert may occur:

-when randomly visiting a webpage;

-when restarting Firefox shortly after it was closed;

-when attempting to adjust Fire IE settings (Right click on its icon and select Fire IE Options). This trigger the alert every single time. Have to switch current webpage to IE engine (left click on Fire IE icon) in order to be able to adjust Fire IE settings.

Internet Explorer 7 is really old, so emulating it in Fire IE is pretty pointless, as result users raise the Compatibility mode to highest mode that works with the target website(s) they visit frequently.

Main reason why this plugin is popular is because it exports Adblock Plus functionality to IE rendered webpages. Adblock Plus for IE is just a mere shadow of Adblock Plus for Firefox.

Attached some pictures that can help with reproducing.

 

 

 

post-169728-0-29515900-1423647952_thumb.

post-169728-0-75457800-1423647953_thumb.

Share this post


Link to post
Share on other sites

While testing https://forums.malwarebytes.org/index.php?/topic/164597-exploit-found-with-china-bank-icbc/ I discovered that for some odd reason this conflict didn't occur although the test machine has Windows XP with IE8 so it should happened in these 2 cases:
-Fire IE OOPP disabled IE8 Standards Mode;

-Fire IE OOPP disabled IE8 Forced Standards Mode.

The test machine doesn't have MBAM installed, so I decided to try supressing the conflict by turning off protection modules. It appears that if I turn website protection off no more exploit alert. MBAE behavior seams to change only after user log off / log on.

TODO: Install MBAM Premium trial on test machine and see if false exploit alert is fired.  

Share this post


Link to post
Share on other sites
It appears that if I turn website protection off no more exploit alert. MBAE behavior seams to change only after user log off / log on.

TODO: Install MBAM Premium trial on test machine and see if false exploit alert is fired.  

 

Did I understand this correctly? The MBAE alert only happens if MBAM Premium is installed with website protection enabled?

Share this post


Link to post
Share on other sites

Yes, that's how it looks to me. It seams it also doesn't happen if self-defense is disabled. It doesn't happen on XP 32-bit at least. I always experienced this on Windows 7 x64. I'll also test on Windows 10 TP x86. A wild guess I have is that it won't fire an exploit alert.

Share this post


Link to post
Share on other sites

Completed testing. Here are the results:

a. It never happens if any 1 of these conditions is met:

-host is running 32-bit windows;

-Fire IE is set to OOPP.

b.It posibly doesn't happen if OOPP is disabled and Fire IE Compatibility mode is unchanged from default IE7 Standards mode.

c.Number of incidents may grow if Malwarebytes Anti-Malware Premium is installed and has self-defense or Website Protection enabled or both.

Overall issue reproducing is very difficult as no precise action triggers the alert.

 

On another note Fire IE 0.4.5 beta is out which turns OOPP on by default. So I don't know how much it worths to investigate this further. I think that Fire IE devs will nullify this issue before you figure out the cause.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.