Jump to content
Geoff_R

Exploit ROP Gadget Attack/MS Edge

Recommended Posts

Per reviewing this forum, I have the same problem w/the Exploit ROP Gadget Attack Using Edge as described by others recently.  I have followed the directions and tried multiple reboots w/o success in alleviating the problem.  I have how created the log .zip file as described in the reply to "Munchkin" and have attached it for moderator review and further instructions.  (Note: I am currently using Pale Moon browser with no problems as I cannot access your site w/Edge due to the aforementioned recurring Exploit messages.

Malwarebytes Anti-Exploit.zip

Share this post


Link to post
Share on other sites

Like Geoff_R I am having the same issue with MS Edge, no issues with FF and Chrome. Am I to attach a log file as well and whats the fix for this?

Share this post


Link to post
Share on other sites

The logs will help the experts identify the issue.

What antivirus application do you both use?

Share this post


Link to post
Share on other sites

Interesting find... Forgot that I was also using IBM Trusteer Rapport on my desktop (problem reported above).  When I use my laptop, running Windows 10 Pro (latest update) along with Defender and MBAM Free WITHOUT Trusteer Rapport, there is no problem with MBAE and MS Edge... Hmmm....  Both PC's are running MBAE Version 1.09.1.1235

Share this post


Link to post
Share on other sites

Eureeka!!! After shutting down IBM Trusteer Rapport on my desktop, no more "Exploit ROP gadget attack blocked" message from MBAE.  Sorry for the long dialogue, but maybe this can help others who, like me, was very surprised and concerned about the message that I received from MBAE this morning.

Share this post


Link to post
Share on other sites
32 minutes ago, TonyRI said:

Eureeka!!! After shutting down IBM Trusteer Rapport on my desktop, no more "Exploit ROP gadget attack blocked" message from MBAE.  Sorry for the long dialogue, but maybe this can help others who, like me, was very surprised and concerned about the message that I received from MBAE this morning.

@TonyRI    What is the version number of Trusteer Rapport ?  Please check.  Also, check with Trusteer and lets make sure the pc has the latest version.

Share this post


Link to post
Share on other sites

@TonyRI   quoting from the Known-issues-conflicts section of the MBAE support sub-forum

Quote

Trusteer Rapport may conflict with MBAE. As a workaround simply disable the ROP and malicious return address protections in MBAE's advanced settings to make Trusteer work alongside MBAE.

But even with those techniques disabled sometimes Trusteer's "Pinpoint technology", which tries to detect the presence of Trusteer through a webpage, introduces a conflict whereby it cannot detect the presence of Trusteer's hooks. There is a long history of complaints about IBM's lack of interest in fixing Rapport's conflicts with dozens of security applications. We've managed to make Trusteer work with most web browsers but in the case of Pinpoint technology it does not know how to deal with basic chained API hooks. We are working on a new mechanism to handle these types of conflicts.

 

Share this post


Link to post
Share on other sites
35 minutes ago, Maurice Naggar said:

@TonyRI   quoting from the Known-issues-conflicts section of the MBAE support sub-forum

 

I can't believe this update was released. Y'all seem to know at least about the possibility of this happening. What in the world kind of real-world testing did you do? You had to have skipped browsing altogether - this problem impacts 8 out of 10 sites with IE11.

Kindly DO fix it because in the meantime I've just disabled MBAE. I want IE11 or nothing.

Just unbelievable.

Share this post


Link to post
Share on other sites
1 hour ago, Maurice Naggar said:

@TonyRI    What is the version number of Trusteer Rapport ?  Please check.  Also, check with Trusteer and lets make sure the pc has the latest version.

Hi Maurice,  It says Emerald Build 1609.103 Configuration File 3222288.  I've checked for updates within the app and it states that it is the latest version.  I went to the site and downloaded a fresh file, performed an update installation and it is the exact same version.   I've also reported the conflict directly to IBM support.  The site states that they are fully compatible with MBAM, but doesn't mention MBAE.  Thanks for the workaround, i'll try it.  Funny that it only impacts Edge and not Chrome, although Edge never shows the Rapport Icon in the browser, whereas Chrome shows it as an extension.  Thanks for your help, hope that this gets resolved soon.

Share this post


Link to post
Share on other sites

PS  Thanks! The workaround seems to have worked, however now I feel slightly unprotected.  Is it possible to let us know when an update/fix is completed so that I can go back to default settings?  Thanks again :)

Share this post


Link to post
Share on other sites

Hello All,

 

If you have the issue with trusteer and mbae, we will still want to see the logs for this to see some things on our side regarding the issue. If you could please collect the information from this link:

 

https://forums.malwarebytes.org/topic/144403-readme-first-posts-here-need-to-include-mbae-logs/

 

Make sure you do the steps for FRST in number 5 as we want to see that information as well. 

Share this post


Link to post
Share on other sites

This only happens with MS Edge. Not with FF or Chrome. If this happened with the other browsers, I would buy the snake oil that is being given. So asking what AV tools I am running, disable this and that doesn't solve the problem. So gentlemen, lets get back to the drawing board and have a firing solution.

Share this post


Link to post
Share on other sites

Hello Everyone,

 

If you are having the issue with Edge and the ROP gadget detection's, please try rebooting the computers and see if you still have the issue. We pushed out something and we want to see if it fixes the issue for you. Please let me know if you still have the issue after that or confirm that it fixed it!

Edited by Arthi

Share this post


Link to post
Share on other sites

Same - Problem still exists, unless I disable the ROP and malicious return address protections in MBAE's advanced settings

Share this post


Link to post
Share on other sites

Hello jojjy and TonyRI,

We pushed out a change to our Advanced settings config wherein we disable the conflicting settings with Trusteer automatically, so that users can continue to use Edge with Trusteer. When you reboot your pc, you should see ROP and malicious return address detection settings disabled for Browsers. This is done temporarily until we provide a permanent fix. If you have disabled it manually, it is fine as well.

For all other users, simply restart your pc for the settings change to take effect, after which you can continue using Edge browser without any blocks.

Thanks for your patience.

 

Share this post


Link to post
Share on other sites

Thanks for the explanation. I did notice the (automatic) temporary settings change after reboot, but went back to default settings to test...  Temp fix did work as described.  Will patiently wait for a permanent fix.   Thanks again! :)

Edited by TonyRI

Share this post


Link to post
Share on other sites

SAME ISSUE, Since I just upgraded Firefox to 58.1 - Malwarebytes keeps shutting down Firefox with Exploit ROP gadget attack blocked!!!!!

It is getting really annoying -- is there a real exploit or NOT - I disabled all of my ADD-ON, I even uninstalled and downloaded a build from Mozilla itself. I am not able to use FIREFOX any Longer?

I have WINDOWS 10 PRO - HP ENVY 17T -I do not have an IBM system.

There are no more ADD ON they are ALL DISABLED!!!

Log Details-
Protection Event Date: 1/29/18
Protection Event Time: 4:45 PM
Log File: d41397b9-0556-11e8-a2f1-48ba4e492d8d.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3816
License: Premium

-System Information-
OS: Windows 10 (Build 16299.125)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: Mozilla Firefox (and add-ons)
Protection Layer: Protection Against OS Security Bypass
Protection Technique: Exploit ROP gadget attack blocked

Share this post


Link to post
Share on other sites
1 hour ago, DonnaMolinari said:

SAME ISSUE, Since I just upgraded Firefox to 58.1 - Malwarebytes keeps shutting down Firefox with Exploit ROP gadget attack blocked!!!!!

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.