Malwarebytes blocks Firefox 58b4

[tahlyn]

After a few seconds of Firefox beta 58b4 opening, Malwarebytes closes and blocks with this message:

protection against OS security bypass
exploit ROP gadget attack blocked

had to uncheck "RET ROP Gadget detection (64 bit)" for "Browsers" to keep this from happening.  I always run Firefox beta and this just started after the upgrade to v58b4.  This was not happening with any of the Firefox beta 57 builds.

I've ran Firefox in safe mode with add-ons disabled with the same result.

Also, this happened before and after the most recent upgrade to Malwarebytes.

Malwarebytes 3.2.2.2029
- updated MB db as of 10:39am EST
Windows 10 (Build 16299.64)
Firefox beta 58b4

malwarebytes-report-17nov2017.txt

MBAMSERVICE.LOG

[vbarytskyy]

Hello @tahlyn,

Could you try upgrading to the latest version of Malwarebytes and see if you still experience the issue. I am not able to replicate it with latest version of Malwarebytes and Firefox in beta channel.

Get latest Malwarebytes

Thank you

[tahlyn]

already have the latest version, but I did re-install and reboot, same result.  Tried another Win10 PC.  As soon as I upgraded Firefox to 58b4, it got blocked.  The MB version on the other PC is 3.2.2.2029, which I believe is the previous version, so both the previous and latest versions of MB are blocking the latest beta version of Firefox at least on 2 of my win10 PCs.  I've tried this with all add-ons disabled so I don't think it has anything to do with the add-ons.

- just tried with a newly created profile in Firefox and MB still blocks that as well.  
- tried the latest Firefox Nightly build, and it's getting blocked (59.0a1 2017-11-17 64-bit).
- created new Firefox profile and latest Firefox Nightly on separate PC with same result.

If I downgrade back to stable v57 on either PC, it works fine.

[vbarytskyy]

@tahlyn

Could you get us more logs and I will look into it deeper. 

Make sure to get the FRST and MB-Check logs.

 

[tahlyn]

attached logs

mb-check-results.zip

FRST.txt

Addition.txt

[vbarytskyy]

@tahlyn

I am still looking at logs and trying to replicate this issue. The 2 settings that are causing issues are not something that we enable by default on a clean installation of Malwarebytes so I am exploring any possible problems with that and the latest Firefox beta.

Also, because this is a beta release of Firefox having the issue, it is possible that they're working on changes that cause us to flag them on very specific cases that I am unable to replicate yet. There are a few add-ons as well that I am not able to test with because they are not available anymore, which could be the cause of the issue if they behave strange with beta releases of Firefox. Sometimes Firefox, even if ran with Add-ons disabled will still load them. 

 

Try this and let me know the result:

For the time being, could you load Firefox beta back on the unit and open it in Safe Mode to see if you still experience that problem? To load safe mode, hold the "shift-key" while opening Firefox and hit "start in safe mode".

Firefox Safe Mode

 

Make sure to do a manual database update in Malwarebytes as well, we pushed out some fixes earlier. 

Edited November 17, 2017 by vbarytskyy

[tahlyn]

I've already loaded Firefox in safe mode to disable all add-ons and I've also tried new profiles on both PCs, still gets blocked.  I agree that I'm not using default settings in MB and it's only happening with the beta and nightly, but I'm concerned that the whatever is happening in beta/nightly will get pushed to stable and the blocking will start happening to the stable branch of Firefox, which will become a major issue.  Better to catch it now than later.

NOTE: some of the add-ons showing up in the scans have not been installed in my Firefox profile in awhile.  I'm only using the current web extension add-ons that only work with Firefox 57 and later.

I just tried to update to the latest database and it says I already have the latest version.

Again,  the blocking only happens if I check "RET ROP Gadget detection (64 bit)" for "Browsers" in advanced settings.

Edited November 17, 2017 by tahlyn

[vbarytskyy]

Alright, we can look into detailed debug logs just to make sure this is not something that'll impact future releases. Follow these instructions for me and upload the logs. I will look over them.

• Please download the files from this link:  Click here
• Press the Windows + R keys, type "services.msc" and hit Enter.
• Find the service named "Malwarebytes service" and use the right click menu to stop the service.
  • May have to disable "self-protection" first and/or quit Malwarebytes to be able to stop the service
• Extract the contents of the ZIP to a sub-folder in your Desktop.
• Copy the files mbae.dll and mbae64.dll and paste them to the C:\Program Files\Malwarebytes\Anti-Malware\ folder.
• Copy the files mbae.sys and mbae64.sys and paste them to the C:\Windows\System32\drivers\ folder.
• After you replace the files, start the "Malwarebytes service" service again or reboot the computer. 
• Reproduce the problem and collect and send back to us these files:
• C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log
• C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log
• C:\ProgramData\MBAE_minidumps\

After the logs are submitted, Malwarebytes will require reinstallation to stop debugging process. Advise to use MB-Clean:

Get MB-Clean