Re: Sophos reports an ROP problem, and shuts Seamonkey down.

Tue, 29 May 2018 10:40:32 -0700

Seems to be a "feature" of Sophos to report possible ROP problems in any software. Use latest compatible Noscript and uBlock and just add an exception in Sophos. If this isn't possible ditch Sophos. 

FRG

Dirk Munk wrote:

Dirk Munk wrote:
I have Sophos anti-virus (etc.) running on my PC, and a few days ago it reported a ROP problem with Seamonkey and closed it down. 

After restarting Seamonkey everything was fine again.

Sophos gave this trace of the problem:

Mitigation   ROP

Platform     10.0.17134/x64 v614 06_3a
PID          18136
Application  C:\Program Files\SeaMonkey\seamonkey.exe
Description  SeaMonkey 2.49.3

Callee Type  LoadLibrary

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ---------------------------------------- 
1  00007FFD8A0FBC4D KernelBase.dll
2  00007FFD8D6927D7 ntdll.dll
3  00007FFD8D67AC26 ntdll.dll                __C_specific_handler +0x96
4  00007FFD8D68EDCD ntdll.dll                __chkstk +0x11d
5  00007FFD8D5F6C86 ntdll.dll
6  00007FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e

7  00007FFD3CFAF0FD xul.dll
                    80791000                 CMP          BYTE [RCX+0x10], 0x0
                    7465                     JZ 0x7ffd3cfaf168
                    83b91c2b000000           CMP          DWORD [RCX+0x2b1c], 0x0 
                    7416                     JZ 0x7ffd3cfaf122
                    498bc0                   MOV          RAX, R8
                    482500f0ffff             AND          RAX, 0xfffffffffffff000 
                    488b4008                 MOV          RAX, [RAX+0x8]
                    83b87008000000           CMP          DWORD [RAX+0x870], 0x0 
                    7446                     JZ 0x7ffd3cfaf168
                    4d85c0                   TEST         R8, R8
                    740c                     JZ 0x7ffd3cfaf133
                    4881cae8ff0f00           OR           RDX, 0xfffe8
                    833a01                   CMP          DWORD [RDX], 0x1
                    7435                     JZ 0x7ffd3cfaf168
                    498bc0                   MOV          RAX, R8
                    4981e0a0c0ffff           AND          R8, 0xffffffffffffc0a0 

8  00007FFD3A505F69 xul.dll
9  00007FFD3A50611B xul.dll
10 00007FFD3CFF9A07 xul.dll

Process Trace
1  C:\Program Files\SeaMonkey\seamonkey.exe [18136]
2  C:\Windows\explorer.exe [11128]
3  C:\Windows\System32\userinit.exe [10980]
4  C:\Windows\System32\winlogon.exe [812]
winlogon.exe

Thumbprint
6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d
This is a security problem. According to Sophos, Seamonkey is doing something it should not be doing, perhaps executing a piece of malicious code from a web site?
I've seen the problem more often now, and I wonder if someone can have a look at it? 
_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Reply via email to