New FIREFOX 58.1 Crashes with Exploit ROP gadget attack blocked, BUG??

[DonnaMolinari]

Is this a bug - false positive or what!!!! Please Explain!!! Please FIX if it is a BUG!! With New Firefox 58.1

Since I just upgraded Firefox to 58.1 - Malwarebytes keeps shutting down Firefox with Exploit ROP gadget attack blocked!!!!!

It is getting really annoying -- is there a real exploit or NOT - I disabled all of my ADD-ON, I even uninstalled and downloaded a build from Mozilla itself. I am not able to use FIREFOX any Longer?

Please RESOLVE ASAP!!!! I have not idea what else to do - there are no more ADD ON they are ALL DISABLED!!!

Please send me EMAIL ASAP and let me know when you are going to fix it to:

-Log Details-
Protection Event Date: 1/29/18
Protection Event Time: 4:45 PM
Log File: d41397b9-0556-11e8-a2f1-48ba4e492d8d.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3816
License: Premium

-System Information-
OS: Windows 10 (Build 16299.125)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: Mozilla Firefox (and add-ons)
Protection Layer: Protection Against OS Security Bypass
Protection Technique: Exploit ROP gadget attack blocked

 

 

MOZILLA-UPDATE-EXPLOITS.txt

Edited January 30, 2018 by Maurice Naggar

[Cain]

EXACT same thing on Firefox 58.0.1 Donna, and it's freaking me out a little bit. 

I've never had or seen anything like this before.  At first I thought I'd gotten a fake firefox update, but I didn't.  I've been scanning the heck out of my PC and it seems to be virus free, but Firefox is getting shutdown by MB constantly, even on basic sites like google.com.

Thanks in advance for any help.

----------------------------------

-Log Details-
Protection Event Date: 1/29/18
Protection Event Time: 8:58 PM
Log File: 00c8663a-0561-11e8-9e6e-704d7b285f80.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3817
License: Premium

-System Information-
OS: Windows 10 (Build 16299.192)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: Mozilla Firefox (and add-ons)
Protection Layer: Protection Against OS Security Bypass
Protection Technique: Exploit ROP gadget attack blocked
File Name:
URL:

 

 

Edited January 30, 2018 by Cain

[DonnaMolinari]

CHROME IS WORKING O.K. - SO I AM USING CHROME FOR NOW. But I use FIREFOX EXCLUSIVELY - BECAUSE I LIKE THE SECURITY PLUG-INS FOR NORTON, ETC. PDF MAKER, ETC. THIS IS NOT GOOD - I LIKE MALWAREBYTES I WANT TO KEEP IT, BUT I SHOULD NOT GET ANY FALSE POSITIVES IF THERE ISN"T REALLY ANY VULNERABILITIES OR EXPLOITS. Maybe there is something new with FIREFOX 58.1, I believe MALWAREBYTES Development should get with FIREFOX Development team to figure out what is causing it.

[Cain]

Hey Donna, I'm guessing this is an issue with the new Firefox update and all the major changes MB has recently made to their "web protection", sadly you and I may be the canaries in the mine - so we got it first!  :-)

I also made a post to support your post, I'm guessing they will jump on this later tonight or early tomorrow morning. 

Love me some Firefox, and also love me some Malwarebytes - I'm sure they will get this figured out very soon - otherwise I predict lots of freaked out and upset users!! 

 

[DonnaMolinari]

My Profession for the last 18 years I worked in R&D Enterprise Software Engineering --- my last job was with HPE ARCSIGHT SIEM SECURITY!! 

Please see my LinkedIn info: https://www.linkedin.com/in/djmolinari/

I uninstalled FIREFOX 58.1 and Installed the previous version - it proves the issue is with FIREFOX 58.1 - This is my QA Experience kicking in.

I enabled all of my ADD-ON and there are no problems.

PLEASE FIX BUG DEV TEAM AT MALWAREBYTES - I wasn't able to recreate it with Firefox v57.0.4 64-BIT

1. Firefox 58.1 with current Malwarebytes v3.3.1 false positive exploit

Edited January 30, 2018 by DonnaMolinari

[Cain]

Nice catch Donna, that's a bit of a relief knowing it's a bug/glitch and not an actual exploit that got through to our systems.

[DonnaMolinari]

It can either be when Mozilla built the next release of Firefox 58.0.1 a real vulnerability was built into it and that build has the exploit or Malwarebytes is detecting an false positive in Firefox 58 add-on configuration page. Because I disabled all of the add-ons I had still got the exploit warning. I have now been using Firefox 57 now with all add-ons enabled and Malwarebytes is not detecting any exploits. Plus Firefox new version has a new install now called Firefox Quantum v58.0.1. 

[Porthos]

Check these settings, Be sure all highlighted boxes are unchecked.

[DonnaMolinari]

Hello Porthos,

Will this fix the issue with Firefox 58.1?

I am not going to try it out first -but did you test it to make sure it works?

Thanks in Advance,

Donna Molinari

[AlexSmith]

3 minutes ago, DonnaMolinari said:

Hello Porthos,

Will this fix the issue with Firefox 58.1?

I am not going to try it out first -but did you test it to make sure it works?

Thanks in Advance,

Donna Molinari

Hi @DonnaMolinari!! What @Porthos posted is actually a screenshot of the default Anti-Exploit Settings in the current release of Malwarebytes. I can confirm with those settings set to defaults, Firefox 58.0.1 runs fine.

Edited January 30, 2018 by AlexSmith

[DonnaMolinari]

Thank you Alex -I will give it a try later. What are those anti-exploit options? If they are there, they must be important.

[AlexSmith]

14 minutes ago, DonnaMolinari said:

Thank you Alex -I will give it a try later. What are those anti-exploit options? If they are there, they must be important.

No problem @DonnaMolinari, glad to help!!

To answer your follow up question, those are Advanced Anti-Exploit Settings that provide users the ability to control how our anti-exploit layer works in case its needed. Usually this is something that would only need to be modified when requested by a Malwarebytes support member to help resolve a specific or unique conflict/issue (similar to what is called out at the top of the settings window). It's also there for advanced users that want to have complete control of this layer.

Edited January 30, 2018 by AlexSmith

[Arthi]

Hi All,

The default settings that we provide as part of Anti-Exploit is after a careful deliberation by our security experts to provide optimum security while minimizing false positives. It is the recommended solution for users.

However, there are some settings that we offer which provide additional security but might not be compatible with a few 3rd party products. One such is RET ROP Gadget Detection. By default, we do not recommend turning it on. But by no means turning it off will reduce users' security. 

If you are using Firefox 58, Please use default recommended settings as in the below screenshot.

Thank you.