Re: Sophos reports an ROP problem, and shuts Seamonkey down.
On 30/05/2018 21:48, EE wrote: > What is ROP? I found 4 possible expansions for that abbreviation. https://en.wikipedia.org/wiki/Return-oriented_programming ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Sophos reports an ROP problem, and shuts Seamonkey down.
On 5/30/18, EE wrote: > Lee wrote: >> On 5/29/18, Frank-Rainer Grahl wrote: >>> Seems to be a "feature" of Sophos to report possible ROP problems in any >>> software. Use latest compatible Noscript and uBlock and just add an >>> exception in Sophos. >> >> If one wanted to check and see if maybe the possible ROP problem >> really was the result of executing a piece of malicious code from a >> web site, how would you go about it? >> >> I tried this: >> C:\Temp>type startSM-with-logging.bat >> @REM see >> https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging >> @REM >> >> @rem set >> MOZ_LOG=timestamp,sync,rotate:200,nsHttp:5,cache2:5,nsSocketTransport:5,nsHostResolver:5 >> >> set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:3 >> @rem nsHttp:3 log only http request and response headers >> >> set MOZ_LOG_FILE=%TEMP%\sm-log.txt >> >> "c:\Program Files (x86)\SeaMonkey\SeaMonkey.exe" >> >> >> which is 1) more verbose than I'd like and 2) not so easy to parse. >> Is there some other way to keep track of what all SeaMonkey gets off the >> web? >> >> Thanks >> Lee >> >> >>> Dirk Munk wrote: Dirk Munk wrote: > I have Sophos anti-virus (etc.) running on my PC, and a few days ago > it > reported a ROP problem with Seamonkey and closed it down. > > After restarting Seamonkey everything was fine again. > > Sophos gave this trace of the problem: > > Mitigation ROP > > Platform 10.0.17134/x64 v614 06_3a > PID 18136 > Application C:\Program Files\SeaMonkey\seamonkey.exe > Description SeaMonkey 2.49.3 > > Callee Type LoadLibrary > > Stack Trace > # Address Module Location > -- > > 1 7FFD8A0FBC4D KernelBase.dll > 2 7FFD8D6927D7 ntdll.dll > 3 7FFD8D67AC26 ntdll.dll__C_specific_handler > +0x96 > 4 7FFD8D68EDCD ntdll.dll__chkstk +0x11d > 5 7FFD8D5F6C86 ntdll.dll > 6 7FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e > > 7 7FFD3CFAF0FD xul.dll > 80791000 CMP BYTE > [RCX+0x10], 0x0 > 7465 JZ 0x7ffd3cfaf168 > 83b91c2b00 CMP DWORD > [RCX+0x2b1c], 0x0 > 7416 JZ 0x7ffd3cfaf122 > 498bc0 MOV RAX, R8 > 482500f0 AND RAX, > 0xf000 > 488b4008 MOV RAX, > [RAX+0x8] > 83b8700800 CMP DWORD > [RAX+0x870], > 0x0 > 7446 JZ 0x7ffd3cfaf168 > 4d85c0 TEST R8, R8 > 740c JZ 0x7ffd3cfaf133 > 4881cae8ff0f00 OR RDX, > 0xfffe8 > 833a01 CMP DWORD > [RDX], > 0x1 > 7435 JZ 0x7ffd3cfaf168 > 498bc0 MOV RAX, R8 > 4981e0a0c0 AND R8, > 0xc0a0 > > 8 7FFD3A505F69 xul.dll > 9 7FFD3A50611B xul.dll > 10 7FFD3CFF9A07 xul.dll > > Process Trace > 1 C:\Program Files\SeaMonkey\seamonkey.exe [18136] > 2 C:\Windows\explorer.exe [11128] > 3 C:\Windows\System32\userinit.exe [10980] > 4 C:\Windows\System32\winlogon.exe [812] > winlogon.exe > > Thumbprint > 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d > > This is a security problem. According to Sophos, Seamonkey is doing something it should not be doing, perhaps executing a piece of malicious code from a web site? I've seen the problem more often now, and I wonder if someone can have a look at it? >>> > What is ROP? I found 4 possible expansions for that abbreviation. In the context of an anti-virus msg, most probably > Return-oriented Programming see https://www.coursera.org/learn/software-security/lecture/vjGZA/return-oriented-programming-rop which gets abut half way thru & prompts you to sign up :( But it's enough for you to get the idea Lee ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Sophos reports an ROP problem, and shuts Seamonkey down.
Lee wrote: On 5/29/18, Frank-Rainer Grahl wrote: Seems to be a "feature" of Sophos to report possible ROP problems in any software. Use latest compatible Noscript and uBlock and just add an exception in Sophos. If one wanted to check and see if maybe the possible ROP problem really was the result of executing a piece of malicious code from a web site, how would you go about it? I tried this: C:\Temp>type startSM-with-logging.bat @REM see https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging @REM @rem set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:5,cache2:5,nsSocketTransport:5,nsHostResolver:5 set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:3 @rem nsHttp:3 log only http request and response headers set MOZ_LOG_FILE=%TEMP%\sm-log.txt "c:\Program Files (x86)\SeaMonkey\SeaMonkey.exe" which is 1) more verbose than I'd like and 2) not so easy to parse. Is there some other way to keep track of what all SeaMonkey gets off the web? Thanks Lee Dirk Munk wrote: Dirk Munk wrote: I have Sophos anti-virus (etc.) running on my PC, and a few days ago it reported a ROP problem with Seamonkey and closed it down. After restarting Seamonkey everything was fine again. Sophos gave this trace of the problem: Mitigation ROP Platform 10.0.17134/x64 v614 06_3a PID 18136 Application C:\Program Files\SeaMonkey\seamonkey.exe Description SeaMonkey 2.49.3 Callee Type LoadLibrary Stack Trace # Address Module Location -- 1 7FFD8A0FBC4D KernelBase.dll 2 7FFD8D6927D7 ntdll.dll 3 7FFD8D67AC26 ntdll.dll__C_specific_handler +0x96 4 7FFD8D68EDCD ntdll.dll__chkstk +0x11d 5 7FFD8D5F6C86 ntdll.dll 6 7FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e 7 7FFD3CFAF0FD xul.dll 80791000 CMP BYTE [RCX+0x10], 0x0 7465 JZ 0x7ffd3cfaf168 83b91c2b00 CMP DWORD [RCX+0x2b1c], 0x0 7416 JZ 0x7ffd3cfaf122 498bc0 MOV RAX, R8 482500f0 AND RAX, 0xf000 488b4008 MOV RAX, [RAX+0x8] 83b8700800 CMP DWORD [RAX+0x870], 0x0 7446 JZ 0x7ffd3cfaf168 4d85c0 TEST R8, R8 740c JZ 0x7ffd3cfaf133 4881cae8ff0f00 OR RDX, 0xfffe8 833a01 CMP DWORD [RDX], 0x1 7435 JZ 0x7ffd3cfaf168 498bc0 MOV RAX, R8 4981e0a0c0 AND R8, 0xc0a0 8 7FFD3A505F69 xul.dll 9 7FFD3A50611B xul.dll 10 7FFD3CFF9A07 xul.dll Process Trace 1 C:\Program Files\SeaMonkey\seamonkey.exe [18136] 2 C:\Windows\explorer.exe [11128] 3 C:\Windows\System32\userinit.exe [10980] 4 C:\Windows\System32\winlogon.exe [812] winlogon.exe Thumbprint 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d This is a security problem. According to Sophos, Seamonkey is doing something it should not be doing, perhaps executing a piece of malicious code from a web site? I've seen the problem more often now, and I wonder if someone can have a look at it? ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey What is ROP? I found 4 possible expansions for that abbreviation. Remote Operation Readout Protection Return-oriented Programming RISC Operation (Reduced Instruction Set Code) ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Sophos reports an ROP problem, and shuts Seamonkey down.
On 5/29/18, Frank-Rainer Grahl wrote: > Seems to be a "feature" of Sophos to report possible ROP problems in any > software. Use latest compatible Noscript and uBlock and just add an > exception in Sophos. If one wanted to check and see if maybe the possible ROP problem really was the result of executing a piece of malicious code from a web site, how would you go about it? I tried this: C:\Temp>type startSM-with-logging.bat @REM see https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging @REM @rem set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:5,cache2:5,nsSocketTransport:5,nsHostResolver:5 set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:3 @rem nsHttp:3 log only http request and response headers set MOZ_LOG_FILE=%TEMP%\sm-log.txt "c:\Program Files (x86)\SeaMonkey\SeaMonkey.exe" which is 1) more verbose than I'd like and 2) not so easy to parse. Is there some other way to keep track of what all SeaMonkey gets off the web? Thanks Lee > Dirk Munk wrote: >> Dirk Munk wrote: >>> I have Sophos anti-virus (etc.) running on my PC, and a few days ago it >>> reported a ROP problem with Seamonkey and closed it down. >>> >>> After restarting Seamonkey everything was fine again. >>> >>> Sophos gave this trace of the problem: >>> >>> Mitigation ROP >>> >>> Platform 10.0.17134/x64 v614 06_3a >>> PID 18136 >>> Application C:\Program Files\SeaMonkey\seamonkey.exe >>> Description SeaMonkey 2.49.3 >>> >>> Callee Type LoadLibrary >>> >>> Stack Trace >>> # Address Module Location >>> -- >>> >>> 1 7FFD8A0FBC4D KernelBase.dll >>> 2 7FFD8D6927D7 ntdll.dll >>> 3 7FFD8D67AC26 ntdll.dll__C_specific_handler +0x96 >>> 4 7FFD8D68EDCD ntdll.dll__chkstk +0x11d >>> 5 7FFD8D5F6C86 ntdll.dll >>> 6 7FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e >>> >>> 7 7FFD3CFAF0FD xul.dll >>> 80791000 CMP BYTE >>> [RCX+0x10], 0x0 >>> 7465 JZ 0x7ffd3cfaf168 >>> 83b91c2b00 CMP DWORD >>> [RCX+0x2b1c], 0x0 >>> 7416 JZ 0x7ffd3cfaf122 >>> 498bc0 MOV RAX, R8 >>> 482500f0 AND RAX, >>> 0xf000 >>> 488b4008 MOV RAX, [RAX+0x8] >>> 83b8700800 CMP DWORD >>> [RAX+0x870], >>> 0x0 >>> 7446 JZ 0x7ffd3cfaf168 >>> 4d85c0 TEST R8, R8 >>> 740c JZ 0x7ffd3cfaf133 >>> 4881cae8ff0f00 OR RDX, 0xfffe8 >>> 833a01 CMP DWORD [RDX], >>> 0x1 >>> 7435 JZ 0x7ffd3cfaf168 >>> 498bc0 MOV RAX, R8 >>> 4981e0a0c0 AND R8, >>> 0xc0a0 >>> >>> 8 7FFD3A505F69 xul.dll >>> 9 7FFD3A50611B xul.dll >>> 10 7FFD3CFF9A07 xul.dll >>> >>> Process Trace >>> 1 C:\Program Files\SeaMonkey\seamonkey.exe [18136] >>> 2 C:\Windows\explorer.exe [11128] >>> 3 C:\Windows\System32\userinit.exe [10980] >>> 4 C:\Windows\System32\winlogon.exe [812] >>> winlogon.exe >>> >>> Thumbprint >>> 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d >>> >>> >> This is a security problem. According to Sophos, Seamonkey is doing >> something >> it should not be doing, perhaps executing a piece of malicious code from a >> web >> site? >> >> I've seen the problem more often now, and I wonder if someone can have a >> look >> at it? > ___ > support-seamonkey mailing list > support-seamonkey@lists.mozilla.org > https://lists.mozilla.org/listinfo/support-seamonkey > ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Sophos reports an ROP problem, and shuts Seamonkey down.
Seems to be a "feature" of Sophos to report possible ROP problems in any software. Use latest compatible Noscript and uBlock and just add an exception in Sophos. If this isn't possible ditch Sophos. FRG Dirk Munk wrote: Dirk Munk wrote: I have Sophos anti-virus (etc.) running on my PC, and a few days ago it reported a ROP problem with Seamonkey and closed it down. After restarting Seamonkey everything was fine again. Sophos gave this trace of the problem: Mitigation ROP Platform 10.0.17134/x64 v614 06_3a PID 18136 Application C:\Program Files\SeaMonkey\seamonkey.exe Description SeaMonkey 2.49.3 Callee Type LoadLibrary Stack Trace # Address Module Location -- 1 7FFD8A0FBC4D KernelBase.dll 2 7FFD8D6927D7 ntdll.dll 3 7FFD8D67AC26 ntdll.dll __C_specific_handler +0x96 4 7FFD8D68EDCD ntdll.dll __chkstk +0x11d 5 7FFD8D5F6C86 ntdll.dll 6 7FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e 7 7FFD3CFAF0FD xul.dll 80791000 CMP BYTE [RCX+0x10], 0x0 7465 JZ 0x7ffd3cfaf168 83b91c2b00 CMP DWORD [RCX+0x2b1c], 0x0 7416 JZ 0x7ffd3cfaf122 498bc0 MOV RAX, R8 482500f0 AND RAX, 0xf000 488b4008 MOV RAX, [RAX+0x8] 83b8700800 CMP DWORD [RAX+0x870], 0x0 7446 JZ 0x7ffd3cfaf168 4d85c0 TEST R8, R8 740c JZ 0x7ffd3cfaf133 4881cae8ff0f00 OR RDX, 0xfffe8 833a01 CMP DWORD [RDX], 0x1 7435 JZ 0x7ffd3cfaf168 498bc0 MOV RAX, R8 4981e0a0c0 AND R8, 0xc0a0 8 7FFD3A505F69 xul.dll 9 7FFD3A50611B xul.dll 10 7FFD3CFF9A07 xul.dll Process Trace 1 C:\Program Files\SeaMonkey\seamonkey.exe [18136] 2 C:\Windows\explorer.exe [11128] 3 C:\Windows\System32\userinit.exe [10980] 4 C:\Windows\System32\winlogon.exe [812] winlogon.exe Thumbprint 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d This is a security problem. According to Sophos, Seamonkey is doing something it should not be doing, perhaps executing a piece of malicious code from a web site? I've seen the problem more often now, and I wonder if someone can have a look at it? ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Sophos reports an ROP problem, and shuts Seamonkey down.
On 5/29/2018 8:02 AM, Dirk Munk wrote: Dirk Munk wrote: I have Sophos anti-virus (etc.) running on my PC, and a few days ago it reported a ROP problem with Seamonkey and closed it down. After restarting Seamonkey everything was fine again. Sophos gave this trace of the problem: Mitigation  ROP Platform    10.0.17134/x64 v614 06_3a PID         18136 Application C:\Program Files\SeaMonkey\seamonkey.exe Description SeaMonkey 2.49.3 Callee Type LoadLibrary Stack Trace # Address         Module                  Location -- 1 7FFD8A0FBC4D KernelBase.dll 2 7FFD8D6927D7 ntdll.dll 3 7FFD8D67AC26 ntdll.dll               __C_specific_handler +0x96 4 7FFD8D68EDCD ntdll.dll               __chkstk +0x11d 5 7FFD8D5F6C86 ntdll.dll 6 7FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e 7 7FFD3CFAF0FD xul.dll                    80791000                CMP         BYTE [RCX+0x10], 0x0                    7465                    JZ 0x7ffd3cfaf168                    83b91c2b00          CMP         DWORD [RCX+0x2b1c], 0x0                    7416                    JZ 0x7ffd3cfaf122                    498bc0                  MOV         RAX, R8                    482500f0            AND         RAX, 0xf000                    488b4008                MOV         RAX, [RAX+0x8]                    83b8700800          CMP         DWORD [RAX+0x870], 0x0                    7446                    JZ 0x7ffd3cfaf168                    4d85c0                  TEST        R8, R8                    740c                    JZ 0x7ffd3cfaf133                    4881cae8ff0f00          OR          RDX, 0xfffe8                    833a01                  CMP         DWORD [RDX], 0x1                    7435                    JZ 0x7ffd3cfaf168                    498bc0                  MOV         RAX, R8                    4981e0a0c0          AND         R8, 0xc0a0 8 7FFD3A505F69 xul.dll 9 7FFD3A50611B xul.dll 10 7FFD3CFF9A07 xul.dll Process Trace 1 C:\Program Files\SeaMonkey\seamonkey.exe [18136] 2 C:\Windows\explorer.exe [11128] 3 C:\Windows\System32\userinit.exe [10980] 4 C:\Windows\System32\winlogon.exe [812] winlogon.exe Thumbprint 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d This is a security problem. According to Sophos, Seamonkey is doing something it should not be doing, perhaps executing a piece of malicious code from a web site? I've seen the problem more often now, and I wonder if someone can have a look at it? To escape Avast's nagging and frivolous complexity (why is a typical user designing his own scan parameters?) I switched to Kaspersky. Kaspersky solved these problems but had the unfortunate side effect of blocking SeaMonkey in well over half of my attempts to access websites. Without commenting on the legitimacy of the security concerns raised by Kaspersky ands Sophos, since I really don't know, I can say that this problem does not occur with Bit Defender, which knows how to stay out of your life while doing its job and is a pleasure to use. Its one quirk with Windows machines is that System Restore only works in safe mode - which for me is no biggie. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Sophos reports an ROP problem, and shuts Seamonkey down.
Dirk Munk wrote: I have Sophos anti-virus (etc.) running on my PC, and a few days ago it reported a ROP problem with Seamonkey and closed it down. After restarting Seamonkey everything was fine again. Sophos gave this trace of the problem: Mitigation ROP Platform 10.0.17134/x64 v614 06_3a PID 18136 Application C:\Program Files\SeaMonkey\seamonkey.exe Description SeaMonkey 2.49.3 Callee Type LoadLibrary Stack Trace # Address Module Location -- 1 7FFD8A0FBC4D KernelBase.dll 2 7FFD8D6927D7 ntdll.dll 3 7FFD8D67AC26 ntdll.dll __C_specific_handler +0x96 4 7FFD8D68EDCD ntdll.dll __chkstk +0x11d 5 7FFD8D5F6C86 ntdll.dll 6 7FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e 7 7FFD3CFAF0FD xul.dll 80791000 CMP BYTE [RCX+0x10], 0x0 7465 JZ 0x7ffd3cfaf168 83b91c2b00 CMP DWORD [RCX+0x2b1c], 0x0 7416 JZ 0x7ffd3cfaf122 498bc0 MOV RAX, R8 482500f0 AND RAX, 0xf000 488b4008 MOV RAX, [RAX+0x8] 83b8700800 CMP DWORD [RAX+0x870], 0x0 7446 JZ 0x7ffd3cfaf168 4d85c0 TEST R8, R8 740c JZ 0x7ffd3cfaf133 4881cae8ff0f00 OR RDX, 0xfffe8 833a01 CMP DWORD [RDX], 0x1 7435 JZ 0x7ffd3cfaf168 498bc0 MOV RAX, R8 4981e0a0c0 AND R8, 0xc0a0 8 7FFD3A505F69 xul.dll 9 7FFD3A50611B xul.dll 10 7FFD3CFF9A07 xul.dll Process Trace 1 C:\Program Files\SeaMonkey\seamonkey.exe [18136] 2 C:\Windows\explorer.exe [11128] 3 C:\Windows\System32\userinit.exe [10980] 4 C:\Windows\System32\winlogon.exe [812] winlogon.exe Thumbprint 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d This is a security problem. According to Sophos, Seamonkey is doing something it should not be doing, perhaps executing a piece of malicious code from a web site? I've seen the problem more often now, and I wonder if someone can have a look at it? ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey