This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with new Firefox (55) release?

This morning, before I applied the latest Firefox update, I was able to log into the sites I use for work and get work done.

This afternoon, after I applied the 55.0.1 Firefox update, logging into Kaseya triggers a "LoadLib" event and my browser is closed. Logging into IT Glue is fine until I go to look at some information and then another "LoadLib" event. Basically, two of the sites I use most at my job are unusable.

(Tongue-in-cheek "get another browser" replies are amusing but unneeded, thank you.)

Here's a relevant Event Log entry:

 

Log Name: Application
Source: HitmanPro.Alert
Date: 8/14/2017 2:20:15 PM
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: KKEREZMAN-Z620
Description:
Mitigation LoadLib

Platform 10.0.15063/x64 v713 06_3e
PID 8396
Application C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Description Firefox 55.0.1

DLL injected into PID 5012 (4096 bytes)

00F30000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
00F30010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
00F30020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00F30030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................
00F30040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
00F30050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
00F30060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
00F30070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
00F30080 9F 2C D8 08 DB 4D B6 5B DB 4D B6 5B DB 4D B6 5B .,...M.[.M.[.M.[
00F30090 B6 10 B5 5A D2 4D B6 5B B6 10 B3 5A A3 4D B6 5B ...Z.M.[...Z.M.[
00F300A0 B6 10 B2 5A C3 4D B6 5B E0 13 B5 5A C9 4D B6 5B ...Z.M.[...Z.M.[
00F300B0 E0 13 B2 5A CB 4D B6 5B E0 13 B3 5A F9 4D B6 5B ...Z.M.[...Z.M.[
00F300C0 B6 10 B7 5A D8 4D B6 5B DB 4D B7 5B AE 4D B6 5B ...Z.M.[.M.[.M.[
00F300D0 4E 13 BF 5A D3 4D B6 5B 4E 13 B6 5A DA 4D B6 5B N..Z.M.[N..Z.M.[
00F300E0 49 13 49 5B DA 4D B6 5B 4E 13 B4 5A DA 4D B6 5B I.I[.M.[N..Z.M.[
00F300F0 52 69 63 68 DB 4D B6 5B 00 00 00 00 00 00 00 00 Rich.M.[........
00F30100 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 06 00 ........PE..L...
00F30110 C1 35 8B 59 00 00 00 00 00 00 00 00 E0 00 22 21 .5.Y.........."!
00F30120 0B 01 0E 00 00 18 01 00 00 9A 00 00 00 00 00 00 ................
00F30130 65 10 00 00 00 10 00 00 00 30 01 00 00 00 F3 00 e........0......
00F30140 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 ................
00F30150 06 00 01 00 00 00 00 00 00 00 02 00 00 04 00 00 ................
00F30160 E7 D2 01 00 02 00 40 01 00 00 10 00 00 10 00 00 ......@.........
00F30170 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ................

Process Trace
1 C:\Program Files (x86)\Mozilla Firefox\firefox.exe [8396]
2 C:\Windows\explorer.exe [7856]
3 C:\Windows\System32\userinit.exe [7836]

Thumbprint
60c35895bf61619365f9ac48a7d235f93cc144aa8b1f6807408ad5a36d0a8580



This thread was automatically locked due to age.
Parents
  • If you know the DLL that is being injected into Firefox.exe is fine/expected and the thumbprint is always the same or maybe just a few variations, i.e. in this case: 60c35895bf61619365f9ac48a7d235f93cc144aa8b1f6807408ad5a36d0a8580, you can authorize this thumbprint.  Either globally or in a specific threat protection policy.

    Globally - https://cloud.sophos.com/manage/config/settings/scanning-exclusions

    Add Exclusion

    Type: Detected Exploits (Windows)

    You should see the event for: 'LoadLib' exploit prevented in Firefox.exe

    If you auth that: On the endpoint, in a few seconds you should have a registry key value with that same thumbprint value.

    hklm\software\hitmanpro.alert\

    WhiteThumbprints

    Regards,

    Jak

     

  • Jak,

    Good to know, thanks for the how-to. Question is, now: How do I know what DLL it was trying to load? Or was it one of the EXEs listed in the event details? (Why would FF be loading UserInit? Beats me...) I may just hold off a bit until I see if there's more noise about this release's problems out on the Internets.

    Thanks again,

    - Karel

  • The details:

    1 C:\Program Files (x86)\Mozilla Firefox\firefox.exe [8396]
    2 C:\Windows\explorer.exe [7856]
    3 C:\Windows\System32\userinit.exe [7836]

    Show, that the process userinit.exe launched explorer.exe and explorer.exe launched firefox.exe. This would all be expected.

    As for the DLL that was being injected.  I believe the event log details contains the start of the code.

    It's worth a couple of minutes to scan through this post which touches on the other form of LoadLib detections, i.e. process loading DLLs from network locations:

    https://community.sophos.com/products/intercept/f/information/92849/exploit-prevision-loadlib-error-when-opening-office-docs/336956

    In the example, in that post, the DLL being injected was mentioned: 

    EIP          5AEF4A58 (hpvpldrv09.dll)

    I assume you're not getting that?

    I would typically suggest a tool such as Process Explorer to see what modules are loaded by a process but in the case of injected DLLs I don't think they show.

    Maybe Process Monitor could help.

    Regards,

    Jak

Reply
  • The details:

    1 C:\Program Files (x86)\Mozilla Firefox\firefox.exe [8396]
    2 C:\Windows\explorer.exe [7856]
    3 C:\Windows\System32\userinit.exe [7836]

    Show, that the process userinit.exe launched explorer.exe and explorer.exe launched firefox.exe. This would all be expected.

    As for the DLL that was being injected.  I believe the event log details contains the start of the code.

    It's worth a couple of minutes to scan through this post which touches on the other form of LoadLib detections, i.e. process loading DLLs from network locations:

    https://community.sophos.com/products/intercept/f/information/92849/exploit-prevision-loadlib-error-when-opening-office-docs/336956

    In the example, in that post, the DLL being injected was mentioned: 

    EIP          5AEF4A58 (hpvpldrv09.dll)

    I assume you're not getting that?

    I would typically suggest a tool such as Process Explorer to see what modules are loaded by a process but in the case of injected DLLs I don't think they show.

    Maybe Process Monitor could help.

    Regards,

    Jak

Children
No Data