Re: Sophos reports an ROP problem, and shuts Seamonkey down.

Tue, 29 May 2018 05:40:20 -0700 

On 5/29/2018 8:02 AM, Dirk Munk wrote:

Dirk Munk wrote:

I have Sophos anti-virus (etc.) running on my PC, and a few days ago
it reported a ROP problem with Seamonkey and closed it down.

After restarting Seamonkey everything was fine again.

Sophos gave this trace of the problem:

Mitigation   ROP

Platform     10.0.17134/x64 v614 06_3a
PIDÂ Â Â Â Â Â Â Â Â  18136
Application  C:\Program Files\SeaMonkey\seamonkey.exe
Description  SeaMonkey 2.49.3

Callee Type  LoadLibrary

Stack Trace
#  Address        Â
Module                   Location
-- ---------------- ------------------------
----------------------------------------
1Â  00007FFD8A0FBC4D KernelBase.dll
2Â  00007FFD8D6927D7 ntdll.dll
3  00007FFD8D67AC26 ntdll.dll              Â
__C_specific_handler +0x96
4  00007FFD8D68EDCD ntdll.dll                __chkstk
+0x11d
5Â  00007FFD8D5F6C86 ntdll.dll
6Â  00007FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e

7Â  00007FFD3CFAF0FD xul.dll
                  Â
80791000Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  CMPÂ Â Â Â Â Â Â Â Â  BYTE
[RCX+0x10], 0x0
                  Â
7465Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  JZ 0x7ffd3cfaf168
                  Â
83b91c2b000000Â Â Â Â Â Â Â Â Â Â  CMPÂ Â Â Â Â Â Â Â Â  DWORD
[RCX+0x2b1c], 0x0
                  Â
7416Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  JZ 0x7ffd3cfaf122
                  Â
498bc0Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  MOVÂ Â Â Â Â Â Â Â Â  RAX, R8
                  Â
482500f0ffff             AND          RAX,
0xfffffffffffff000
                  Â
488b4008Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  MOVÂ Â Â Â Â Â Â Â Â  RAX,
[RAX+0x8]
                  Â
83b87008000000Â Â Â Â Â Â Â Â Â Â  CMPÂ Â Â Â Â Â Â Â Â  DWORD
[RAX+0x870], 0x0
                  Â
7446Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  JZ 0x7ffd3cfaf168
                  Â
4d85c0Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  TESTÂ Â Â Â Â Â Â Â  R8, R8
                  Â
740c                     JZ 0x7ffd3cfaf133
                  Â
4881cae8ff0f00Â Â Â Â Â Â Â Â Â Â  ORÂ Â Â Â Â Â Â Â Â Â  RDX, 0xfffe8
                  Â
833a01Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  CMPÂ Â Â Â Â Â Â Â Â  DWORD
[RDX], 0x1
                  Â
7435Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  JZ 0x7ffd3cfaf168
                  Â
498bc0Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  MOVÂ Â Â Â Â Â Â Â Â  RAX, R8
                  Â
4981e0a0c0ffff           AND          R8,
0xffffffffffffc0a0

8Â  00007FFD3A505F69 xul.dll
9Â  00007FFD3A50611B xul.dll
10 00007FFD3CFF9A07 xul.dll

Process Trace
1Â  C:\Program Files\SeaMonkey\seamonkey.exe [18136]
2Â  C:\Windows\explorer.exe [11128]
3Â  C:\Windows\System32\userinit.exe [10980]
4Â  C:\Windows\System32\winlogon.exe [812]
winlogon.exe

Thumbprint
6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d



This is a security problem. According to Sophos, Seamonkey is doing
something it should not be doing, perhaps executing a piece of malicious
code from a web site?

I've seen the problem more often now, and I wonder if someone can have a
look at it?
To escape Avast's nagging and frivolous complexity (why is a typical user designing his own scan parameters?) I switched to Kaspersky. Kaspersky solved these problems but had the unfortunate side effect of blocking SeaMonkey in well over half of my attempts to access websites.
Without commenting on the legitimacy of the security concerns raised by Kaspersky ands Sophos, since I really don't know, I can say that this problem does not occur with Bit Defender, which knows how to stay out of your life while doing its job and is a pleasure to use. Its one quirk with Windows machines is that System Restore only works in safe mode - which for me is no biggie. 


_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Reply via email to