Sophos reports an ROP problem, and shuts Seamonkey down.

I have Sophos anti-virus (etc.) running on my PC, and a few days ago it 
reported a ROP problem with Seamonkey and closed it down.

After restarting Seamonkey everything was fine again.

Sophos gave this trace of the problem:

Mitigation   ROP

Platform     10.0.17134/x64 v614 06_3a
PID          18136
Application  C:\Program Files\SeaMonkey\seamonkey.exe
Description  SeaMonkey 2.49.3

Callee Type  LoadLibrary

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ 
----------------------------------------
1  00007FFD8A0FBC4D KernelBase.dll
2  00007FFD8D6927D7 ntdll.dll
3  00007FFD8D67AC26 ntdll.dll                __C_specific_handler +0x96
4  00007FFD8D68EDCD ntdll.dll                __chkstk +0x11d
5  00007FFD8D5F6C86 ntdll.dll
6  00007FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e

7  00007FFD3CFAF0FD xul.dll
                     80791000                 CMP          BYTE 
[RCX+0x10], 0x0
                     7465                     JZ 0x7ffd3cfaf168
                     83b91c2b000000           CMP          DWORD 
[RCX+0x2b1c], 0x0
                     7416                     JZ 0x7ffd3cfaf122
                     498bc0                   MOV          RAX, R8
                     482500f0ffff             AND          RAX, 
0xfffffffffffff000
                     488b4008                 MOV          RAX, [RAX+0x8]
                     83b87008000000           CMP          DWORD 
[RAX+0x870], 0x0
                     7446                     JZ 0x7ffd3cfaf168
                     4d85c0                   TEST         R8, R8
                     740c                     JZ 0x7ffd3cfaf133
                     4881cae8ff0f00           OR           RDX, 0xfffe8
                     833a01                   CMP          DWORD [RDX], 0x1
                     7435                     JZ 0x7ffd3cfaf168
                     498bc0                   MOV          RAX, R8
                     4981e0a0c0ffff           AND          R8, 
0xffffffffffffc0a0

8  00007FFD3A505F69 xul.dll
9  00007FFD3A50611B xul.dll
10 00007FFD3CFF9A07 xul.dll

Process Trace
1  C:\Program Files\SeaMonkey\seamonkey.exe [18136]
2  C:\Windows\explorer.exe [11128]
3  C:\Windows\System32\userinit.exe [10980]
4  C:\Windows\System32\winlogon.exe [812]
winlogon.exe

Thumbprint
6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d


0
Dirk
5/16/2018 9:51:39 AM
mozilla.support.seamonkey 12958 articles. 0 followers. Post Follow

7 Replies
49 Views

Similar Articles

[PageSpeed] 5

Dirk Munk wrote:
> I have Sophos anti-virus (etc.) running on my PC, and a few days ago 
> it reported a ROP problem with Seamonkey and closed it down.
>
> After restarting Seamonkey everything was fine again.
>
> Sophos gave this trace of the problem:
>
> Mitigation   ROP
>
> Platform     10.0.17134/x64 v614 06_3a
> PID          18136
> Application  C:\Program Files\SeaMonkey\seamonkey.exe
> Description  SeaMonkey 2.49.3
>
> Callee Type  LoadLibrary
>
> Stack Trace
> #  Address          Module                   Location
> -- ---------------- ------------------------ 
> ----------------------------------------
> 1  00007FFD8A0FBC4D KernelBase.dll
> 2  00007FFD8D6927D7 ntdll.dll
> 3  00007FFD8D67AC26 ntdll.dll                __C_specific_handler +0x96
> 4  00007FFD8D68EDCD ntdll.dll                __chkstk +0x11d
> 5  00007FFD8D5F6C86 ntdll.dll
> 6  00007FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e
>
> 7  00007FFD3CFAF0FD xul.dll
>                     80791000                 CMP          BYTE 
> [RCX+0x10], 0x0
>                     7465                     JZ 0x7ffd3cfaf168
>                     83b91c2b000000           CMP          DWORD 
> [RCX+0x2b1c], 0x0
>                     7416                     JZ 0x7ffd3cfaf122
>                     498bc0                   MOV          RAX, R8
>                     482500f0ffff             AND          RAX, 
> 0xfffffffffffff000
>                     488b4008                 MOV          RAX, [RAX+0x8]
>                     83b87008000000           CMP          DWORD 
> [RAX+0x870], 0x0
>                     7446                     JZ 0x7ffd3cfaf168
>                     4d85c0                   TEST         R8, R8
>                     740c                     JZ 0x7ffd3cfaf133
>                     4881cae8ff0f00           OR           RDX, 0xfffe8
>                     833a01                   CMP          DWORD [RDX], 
> 0x1
>                     7435                     JZ 0x7ffd3cfaf168
>                     498bc0                   MOV          RAX, R8
>                     4981e0a0c0ffff           AND          R8, 
> 0xffffffffffffc0a0
>
> 8  00007FFD3A505F69 xul.dll
> 9  00007FFD3A50611B xul.dll
> 10 00007FFD3CFF9A07 xul.dll
>
> Process Trace
> 1  C:\Program Files\SeaMonkey\seamonkey.exe [18136]
> 2  C:\Windows\explorer.exe [11128]
> 3  C:\Windows\System32\userinit.exe [10980]
> 4  C:\Windows\System32\winlogon.exe [812]
> winlogon.exe
>
> Thumbprint
> 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d
>
>
This is a security problem. According to Sophos, Seamonkey is doing 
something it should not be doing, perhaps executing a piece of malicious 
code from a web site?

I've seen the problem more often now, and I wonder if someone can have a 
look at it?
0
Dirk
5/29/2018 12:02:49 PM
On 5/29/2018 8:02 AM, Dirk Munk wrote:
> Dirk Munk wrote:
>> I have Sophos anti-virus (etc.) running on my PC, and a few days ago
>> it reported a ROP problem with Seamonkey and closed it down.
>>
>> After restarting Seamonkey everything was fine again.
>>
>> Sophos gave this trace of the problem:
>>
>> Mitigation� �  ROP
>>
>> Platform� � � �  10.0.17134/x64 v614 06_3a
>> PID� � � � � � � � �  18136
>> Application�  C:\Program Files\SeaMonkey\seamonkey.exe
>> Description�  SeaMonkey 2.49.3
>>
>> Callee Type�  LoadLibrary
>>
>> Stack Trace
>> #�  Address� � � � � � � � �
>> Module� � � � � � � � � � � � � � � � � �  Location
>> -- ---------------- ------------------------
>> ----------------------------------------
>> 1�  00007FFD8A0FBC4D KernelBase.dll
>> 2�  00007FFD8D6927D7 ntdll.dll
>> 3�  00007FFD8D67AC26 ntdll.dll� � � � � � � � � � � � � � �
>> __C_specific_handler +0x96
>> 4�  00007FFD8D68EDCD ntdll.dll� � � � � � � � � � � � � � �  __chkstk
>> +0x11d
>> 5�  00007FFD8D5F6C86 ntdll.dll
>> 6�  00007FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e
>>
>> 7�  00007FFD3CFAF0FD xul.dll
>> � � � � � � � � � � � � � � � � � � �
>> 80791000� � � � � � � � � � � � � � � �  CMP� � � � � � � � �  BYTE
>> [RCX+0x10], 0x0
>> � � � � � � � � � � � � � � � � � � �
>> 7465� � � � � � � � � � � � � � � � � � � �  JZ 0x7ffd3cfaf168
>> � � � � � � � � � � � � � � � � � � �
>> 83b91c2b000000� � � � � � � � � �  CMP� � � � � � � � �  DWORD
>> [RCX+0x2b1c], 0x0
>> � � � � � � � � � � � � � � � � � � �
>> 7416� � � � � � � � � � � � � � � � � � � �  JZ 0x7ffd3cfaf122
>> � � � � � � � � � � � � � � � � � � �
>> 498bc0� � � � � � � � � � � � � � � � � �  MOV� � � � � � � � �  RAX, R8
>> � � � � � � � � � � � � � � � � � � �
>> 482500f0ffff� � � � � � � � � � � �  AND� � � � � � � � �  RAX,
>> 0xfffffffffffff000
>> � � � � � � � � � � � � � � � � � � �
>> 488b4008� � � � � � � � � � � � � � � �  MOV� � � � � � � � �  RAX,
>> [RAX+0x8]
>> � � � � � � � � � � � � � � � � � � �
>> 83b87008000000� � � � � � � � � �  CMP� � � � � � � � �  DWORD
>> [RAX+0x870], 0x0
>> � � � � � � � � � � � � � � � � � � �
>> 7446� � � � � � � � � � � � � � � � � � � �  JZ 0x7ffd3cfaf168
>> � � � � � � � � � � � � � � � � � � �
>> 4d85c0� � � � � � � � � � � � � � � � � �  TEST� � � � � � � �  R8, R8
>> � � � � � � � � � � � � � � � � � � �
>> 740c� � � � � � � � � � � � � � � � � � � �  JZ 0x7ffd3cfaf133
>> � � � � � � � � � � � � � � � � � � �
>> 4881cae8ff0f00� � � � � � � � � �  OR� � � � � � � � � �  RDX, 0xfffe8
>> � � � � � � � � � � � � � � � � � � �
>> 833a01� � � � � � � � � � � � � � � � � �  CMP� � � � � � � � �  DWORD
>> [RDX], 0x1
>> � � � � � � � � � � � � � � � � � � �
>> 7435� � � � � � � � � � � � � � � � � � � �  JZ 0x7ffd3cfaf168
>> � � � � � � � � � � � � � � � � � � �
>> 498bc0� � � � � � � � � � � � � � � � � �  MOV� � � � � � � � �  RAX, R8
>> � � � � � � � � � � � � � � � � � � �
>> 4981e0a0c0ffff� � � � � � � � � �  AND� � � � � � � � �  R8,
>> 0xffffffffffffc0a0
>>
>> 8�  00007FFD3A505F69 xul.dll
>> 9�  00007FFD3A50611B xul.dll
>> 10 00007FFD3CFF9A07 xul.dll
>>
>> Process Trace
>> 1�  C:\Program Files\SeaMonkey\seamonkey.exe [18136]
>> 2�  C:\Windows\explorer.exe [11128]
>> 3�  C:\Windows\System32\userinit.exe [10980]
>> 4�  C:\Windows\System32\winlogon.exe [812]
>> winlogon.exe
>>
>> Thumbprint
>> 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d
>>
>>
> This is a security problem. According to Sophos, Seamonkey is doing
> something it should not be doing, perhaps executing a piece of malicious
> code from a web site?
>
> I've seen the problem more often now, and I wonder if someone can have a
> look at it?

To escape Avast's nagging and frivolous complexity (why is a typical 
user designing  his own scan parameters?) I switched to Kaspersky. 
Kaspersky solved these problems but had the unfortunate side effect of 
blocking SeaMonkey in well over half of my attempts to access websites.

Without commenting on the legitimacy of the security concerns raised by 
Kaspersky ands Sophos, since I really don't know, I can say that this 
problem does not occur with Bit Defender, which knows how to stay out of 
your life while doing its job and is a pleasure to use. Its one quirk 
with Windows machines is that System Restore only works in safe mode - 
which for me is no biggie.


0
Roger
5/29/2018 12:39:14 PM
Seems to be a "feature" of Sophos to report possible ROP problems in any 
software. Use latest compatible Noscript and uBlock and just add an exception 
in Sophos. If this isn't possible ditch Sophos.

FRG

Dirk Munk wrote:
> Dirk Munk wrote:
>> I have Sophos anti-virus (etc.) running on my PC, and a few days ago it 
>> reported a ROP problem with Seamonkey and closed it down.
>>
>> After restarting Seamonkey everything was fine again.
>>
>> Sophos gave this trace of the problem:
>>
>> Mitigation   ROP
>>
>> Platform     10.0.17134/x64 v614 06_3a
>> PID          18136
>> Application  C:\Program Files\SeaMonkey\seamonkey.exe
>> Description  SeaMonkey 2.49.3
>>
>> Callee Type  LoadLibrary
>>
>> Stack Trace
>> #  Address          Module                   Location
>> -- ---------------- ------------------------ 
>> ----------------------------------------
>> 1  00007FFD8A0FBC4D KernelBase.dll
>> 2  00007FFD8D6927D7 ntdll.dll
>> 3  00007FFD8D67AC26 ntdll.dll                __C_specific_handler +0x96
>> 4  00007FFD8D68EDCD ntdll.dll                __chkstk +0x11d
>> 5  00007FFD8D5F6C86 ntdll.dll
>> 6  00007FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e
>>
>> 7  00007FFD3CFAF0FD xul.dll
>>                     80791000                 CMP          BYTE [RCX+0x10], 0x0
>>                     7465                     JZ 0x7ffd3cfaf168
>>                     83b91c2b000000           CMP          DWORD 
>> [RCX+0x2b1c], 0x0
>>                     7416                     JZ 0x7ffd3cfaf122
>>                     498bc0                   MOV          RAX, R8
>>                     482500f0ffff             AND          RAX, 
>> 0xfffffffffffff000
>>                     488b4008                 MOV          RAX, [RAX+0x8]
>>                     83b87008000000           CMP          DWORD [RAX+0x870], 
>> 0x0
>>                     7446                     JZ 0x7ffd3cfaf168
>>                     4d85c0                   TEST         R8, R8
>>                     740c                     JZ 0x7ffd3cfaf133
>>                     4881cae8ff0f00           OR           RDX, 0xfffe8
>>                     833a01                   CMP          DWORD [RDX], 0x1
>>                     7435                     JZ 0x7ffd3cfaf168
>>                     498bc0                   MOV          RAX, R8
>>                     4981e0a0c0ffff           AND          R8, 
>> 0xffffffffffffc0a0
>>
>> 8  00007FFD3A505F69 xul.dll
>> 9  00007FFD3A50611B xul.dll
>> 10 00007FFD3CFF9A07 xul.dll
>>
>> Process Trace
>> 1  C:\Program Files\SeaMonkey\seamonkey.exe [18136]
>> 2  C:\Windows\explorer.exe [11128]
>> 3  C:\Windows\System32\userinit.exe [10980]
>> 4  C:\Windows\System32\winlogon.exe [812]
>> winlogon.exe
>>
>> Thumbprint
>> 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d
>>
>>
> This is a security problem. According to Sophos, Seamonkey is doing something 
> it should not be doing, perhaps executing a piece of malicious code from a web 
> site?
> 
> I've seen the problem more often now, and I wonder if someone can have a look 
> at it?
0
Frank
5/29/2018 5:39:17 PM
On 5/29/18, Frank-Rainer Grahl wrote:
> Seems to be a "feature" of Sophos to report possible ROP problems in any
> software. Use latest compatible Noscript and uBlock and just add an
> exception in Sophos.

If one wanted to check and see if maybe the possible ROP problem
really was the result of executing a piece of malicious code from a
web site, how would you go about it?

I tried this:
C:\Temp>type startSM-with-logging.bat
@REM see  https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging
@REM

@rem set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:5,cache2:5,nsSocketTransport:5,nsHostResolver:5

set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:3
@rem nsHttp:3   log only http request and response headers

set MOZ_LOG_FILE=%TEMP%\sm-log.txt

"c:\Program Files (x86)\SeaMonkey\SeaMonkey.exe"


which is 1) more verbose than I'd like and 2) not so easy to parse.
Is there some other way to keep track of what all SeaMonkey gets off the web?

Thanks
Lee


> Dirk Munk wrote:
>> Dirk Munk wrote:
>>> I have Sophos anti-virus (etc.) running on my PC, and a few days ago it
>>> reported a ROP problem with Seamonkey and closed it down.
>>>
>>> After restarting Seamonkey everything was fine again.
>>>
>>> Sophos gave this trace of the problem:
>>>
>>> Mitigation   ROP
>>>
>>> Platform     10.0.17134/x64 v614 06_3a
>>> PID          18136
>>> Application  C:\Program Files\SeaMonkey\seamonkey.exe
>>> Description  SeaMonkey 2.49.3
>>>
>>> Callee Type  LoadLibrary
>>>
>>> Stack Trace
>>> #  Address          Module                   Location
>>> -- ---------------- ------------------------
>>> ----------------------------------------
>>> 1  00007FFD8A0FBC4D KernelBase.dll
>>> 2  00007FFD8D6927D7 ntdll.dll
>>> 3  00007FFD8D67AC26 ntdll.dll                __C_specific_handler +0x96
>>> 4  00007FFD8D68EDCD ntdll.dll                __chkstk +0x11d
>>> 5  00007FFD8D5F6C86 ntdll.dll
>>> 6  00007FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e
>>>
>>> 7  00007FFD3CFAF0FD xul.dll
>>>                     80791000                 CMP          BYTE
>>> [RCX+0x10], 0x0
>>>                     7465                     JZ 0x7ffd3cfaf168
>>>                     83b91c2b000000           CMP          DWORD
>>> [RCX+0x2b1c], 0x0
>>>                     7416                     JZ 0x7ffd3cfaf122
>>>                     498bc0                   MOV          RAX, R8
>>>                     482500f0ffff             AND          RAX,
>>> 0xfffffffffffff000
>>>                     488b4008                 MOV          RAX, [RAX+0x8]
>>>                     83b87008000000           CMP          DWORD
>>> [RAX+0x870],
>>> 0x0
>>>                     7446                     JZ 0x7ffd3cfaf168
>>>                     4d85c0                   TEST         R8, R8
>>>                     740c                     JZ 0x7ffd3cfaf133
>>>                     4881cae8ff0f00           OR           RDX, 0xfffe8
>>>                     833a01                   CMP          DWORD [RDX],
>>> 0x1
>>>                     7435                     JZ 0x7ffd3cfaf168
>>>                     498bc0                   MOV          RAX, R8
>>>                     4981e0a0c0ffff           AND          R8,
>>> 0xffffffffffffc0a0
>>>
>>> 8  00007FFD3A505F69 xul.dll
>>> 9  00007FFD3A50611B xul.dll
>>> 10 00007FFD3CFF9A07 xul.dll
>>>
>>> Process Trace
>>> 1  C:\Program Files\SeaMonkey\seamonkey.exe [18136]
>>> 2  C:\Windows\explorer.exe [11128]
>>> 3  C:\Windows\System32\userinit.exe [10980]
>>> 4  C:\Windows\System32\winlogon.exe [812]
>>> winlogon.exe
>>>
>>> Thumbprint
>>> 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d
>>>
>>>
>> This is a security problem. According to Sophos, Seamonkey is doing
>> something
>> it should not be doing, perhaps executing a piece of malicious code from a
>> web
>> site?
>>
>> I've seen the problem more often now, and I wonder if someone can have a
>> look
>> at it?
> _______________________________________________
> support-seamonkey mailing list
> support-seamonkey@lists.mozilla.org
> https://lists.mozilla.org/listinfo/support-seamonkey
>
0
Lee
5/29/2018 9:04:05 PM
Lee wrote:
> On 5/29/18, Frank-Rainer Grahl wrote:
>> Seems to be a "feature" of Sophos to report possible ROP problems in any
>> software. Use latest compatible Noscript and uBlock and just add an
>> exception in Sophos.
> 
> If one wanted to check and see if maybe the possible ROP problem
> really was the result of executing a piece of malicious code from a
> web site, how would you go about it?
> 
> I tried this:
> C:\Temp>type startSM-with-logging.bat
> @REM see  https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging
> @REM
> 
> @rem set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:5,cache2:5,nsSocketTransport:5,nsHostResolver:5
> 
> set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:3
> @rem nsHttp:3   log only http request and response headers
> 
> set MOZ_LOG_FILE=%TEMP%\sm-log.txt
> 
> "c:\Program Files (x86)\SeaMonkey\SeaMonkey.exe"
> 
> 
> which is 1) more verbose than I'd like and 2) not so easy to parse.
> Is there some other way to keep track of what all SeaMonkey gets off the web?
> 
> Thanks
> Lee
> 
> 
>> Dirk Munk wrote:
>>> Dirk Munk wrote:
>>>> I have Sophos anti-virus (etc.) running on my PC, and a few days ago it
>>>> reported a ROP problem with Seamonkey and closed it down.
>>>>
>>>> After restarting Seamonkey everything was fine again.
>>>>
>>>> Sophos gave this trace of the problem:
>>>>
>>>> Mitigation   ROP
>>>>
>>>> Platform     10.0.17134/x64 v614 06_3a
>>>> PID          18136
>>>> Application  C:\Program Files\SeaMonkey\seamonkey.exe
>>>> Description  SeaMonkey 2.49.3
>>>>
>>>> Callee Type  LoadLibrary
>>>>
>>>> Stack Trace
>>>> #  Address          Module                   Location
>>>> -- ---------------- ------------------------
>>>> ----------------------------------------
>>>> 1  00007FFD8A0FBC4D KernelBase.dll
>>>> 2  00007FFD8D6927D7 ntdll.dll
>>>> 3  00007FFD8D67AC26 ntdll.dll                __C_specific_handler +0x96
>>>> 4  00007FFD8D68EDCD ntdll.dll                __chkstk +0x11d
>>>> 5  00007FFD8D5F6C86 ntdll.dll
>>>> 6  00007FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e
>>>>
>>>> 7  00007FFD3CFAF0FD xul.dll
>>>>                      80791000                 CMP          BYTE
>>>> [RCX+0x10], 0x0
>>>>                      7465                     JZ 0x7ffd3cfaf168
>>>>                      83b91c2b000000           CMP          DWORD
>>>> [RCX+0x2b1c], 0x0
>>>>                      7416                     JZ 0x7ffd3cfaf122
>>>>                      498bc0                   MOV          RAX, R8
>>>>                      482500f0ffff             AND          RAX,
>>>> 0xfffffffffffff000
>>>>                      488b4008                 MOV          RAX, [RAX+0x8]
>>>>                      83b87008000000           CMP          DWORD
>>>> [RAX+0x870],
>>>> 0x0
>>>>                      7446                     JZ 0x7ffd3cfaf168
>>>>                      4d85c0                   TEST         R8, R8
>>>>                      740c                     JZ 0x7ffd3cfaf133
>>>>                      4881cae8ff0f00           OR           RDX, 0xfffe8
>>>>                      833a01                   CMP          DWORD [RDX],
>>>> 0x1
>>>>                      7435                     JZ 0x7ffd3cfaf168
>>>>                      498bc0                   MOV          RAX, R8
>>>>                      4981e0a0c0ffff           AND          R8,
>>>> 0xffffffffffffc0a0
>>>>
>>>> 8  00007FFD3A505F69 xul.dll
>>>> 9  00007FFD3A50611B xul.dll
>>>> 10 00007FFD3CFF9A07 xul.dll
>>>>
>>>> Process Trace
>>>> 1  C:\Program Files\SeaMonkey\seamonkey.exe [18136]
>>>> 2  C:\Windows\explorer.exe [11128]
>>>> 3  C:\Windows\System32\userinit.exe [10980]
>>>> 4  C:\Windows\System32\winlogon.exe [812]
>>>> winlogon.exe
>>>>
>>>> Thumbprint
>>>> 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d
>>>>
>>>>
>>> This is a security problem. According to Sophos, Seamonkey is doing
>>> something
>>> it should not be doing, perhaps executing a piece of malicious code from a
>>> web
>>> site?
>>>
>>> I've seen the problem more often now, and I wonder if someone can have a
>>> look
>>> at it?
>> _______________________________________________
>> support-seamonkey mailing list
>> support-seamonkey@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/support-seamonkey
>>
What is ROP?  I found 4 possible expansions for that abbreviation.
Remote Operation
Readout Protection
Return-oriented Programming
RISC Operation (Reduced Instruction Set Code)
0
EE
5/30/2018 7:48:18 PM
On 5/30/18, EE <nunya@bees.wax> wrote:
> Lee wrote:
>> On 5/29/18, Frank-Rainer Grahl wrote:
>>> Seems to be a "feature" of Sophos to report possible ROP problems in any
>>> software. Use latest compatible Noscript and uBlock and just add an
>>> exception in Sophos.
>>
>> If one wanted to check and see if maybe the possible ROP problem
>> really was the result of executing a piece of malicious code from a
>> web site, how would you go about it?
>>
>> I tried this:
>> C:\Temp>type startSM-with-logging.bat
>> @REM see
>> https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging
>> @REM
>>
>> @rem set
>> MOZ_LOG=timestamp,sync,rotate:200,nsHttp:5,cache2:5,nsSocketTransport:5,nsHostResolver:5
>>
>> set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:3
>> @rem nsHttp:3   log only http request and response headers
>>
>> set MOZ_LOG_FILE=%TEMP%\sm-log.txt
>>
>> "c:\Program Files (x86)\SeaMonkey\SeaMonkey.exe"
>>
>>
>> which is 1) more verbose than I'd like and 2) not so easy to parse.
>> Is there some other way to keep track of what all SeaMonkey gets off the
>> web?
>>
>> Thanks
>> Lee
>>
>>
>>> Dirk Munk wrote:
>>>> Dirk Munk wrote:
>>>>> I have Sophos anti-virus (etc.) running on my PC, and a few days ago
>>>>> it
>>>>> reported a ROP problem with Seamonkey and closed it down.
>>>>>
>>>>> After restarting Seamonkey everything was fine again.
>>>>>
>>>>> Sophos gave this trace of the problem:
>>>>>
>>>>> Mitigation   ROP
>>>>>
>>>>> Platform     10.0.17134/x64 v614 06_3a
>>>>> PID          18136
>>>>> Application  C:\Program Files\SeaMonkey\seamonkey.exe
>>>>> Description  SeaMonkey 2.49.3
>>>>>
>>>>> Callee Type  LoadLibrary
>>>>>
>>>>> Stack Trace
>>>>> #  Address          Module                   Location
>>>>> -- ---------------- ------------------------
>>>>> ----------------------------------------
>>>>> 1  00007FFD8A0FBC4D KernelBase.dll
>>>>> 2  00007FFD8D6927D7 ntdll.dll
>>>>> 3  00007FFD8D67AC26 ntdll.dll                __C_specific_handler
>>>>> +0x96
>>>>> 4  00007FFD8D68EDCD ntdll.dll                __chkstk +0x11d
>>>>> 5  00007FFD8D5F6C86 ntdll.dll
>>>>> 6  00007FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e
>>>>>
>>>>> 7  00007FFD3CFAF0FD xul.dll
>>>>>                      80791000                 CMP          BYTE
>>>>> [RCX+0x10], 0x0
>>>>>                      7465                     JZ 0x7ffd3cfaf168
>>>>>                      83b91c2b000000           CMP          DWORD
>>>>> [RCX+0x2b1c], 0x0
>>>>>                      7416                     JZ 0x7ffd3cfaf122
>>>>>                      498bc0                   MOV          RAX, R8
>>>>>                      482500f0ffff             AND          RAX,
>>>>> 0xfffffffffffff000
>>>>>                      488b4008                 MOV          RAX,
>>>>> [RAX+0x8]
>>>>>                      83b87008000000           CMP          DWORD
>>>>> [RAX+0x870],
>>>>> 0x0
>>>>>                      7446                     JZ 0x7ffd3cfaf168
>>>>>                      4d85c0                   TEST         R8, R8
>>>>>                      740c                     JZ 0x7ffd3cfaf133
>>>>>                      4881cae8ff0f00           OR           RDX,
>>>>> 0xfffe8
>>>>>                      833a01                   CMP          DWORD
>>>>> [RDX],
>>>>> 0x1
>>>>>                      7435                     JZ 0x7ffd3cfaf168
>>>>>                      498bc0                   MOV          RAX, R8
>>>>>                      4981e0a0c0ffff           AND          R8,
>>>>> 0xffffffffffffc0a0
>>>>>
>>>>> 8  00007FFD3A505F69 xul.dll
>>>>> 9  00007FFD3A50611B xul.dll
>>>>> 10 00007FFD3CFF9A07 xul.dll
>>>>>
>>>>> Process Trace
>>>>> 1  C:\Program Files\SeaMonkey\seamonkey.exe [18136]
>>>>> 2  C:\Windows\explorer.exe [11128]
>>>>> 3  C:\Windows\System32\userinit.exe [10980]
>>>>> 4  C:\Windows\System32\winlogon.exe [812]
>>>>> winlogon.exe
>>>>>
>>>>> Thumbprint
>>>>> 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d
>>>>>
>>>>>
>>>> This is a security problem. According to Sophos, Seamonkey is doing
>>>> something
>>>> it should not be doing, perhaps executing a piece of malicious code from
>>>> a web site?
>>>>
>>>> I've seen the problem more often now, and I wonder if someone can have
>>>> a look at it?
>>>
> What is ROP?  I found 4 possible expansions for that abbreviation.

In the context of an anti-virus msg, most probably
> Return-oriented Programming

see
  https://www.coursera.org/learn/software-security/lecture/vjGZA/return-oriented-programming-rop
which gets abut half way thru & prompts you to sign up :(  But it's
enough for you to get the idea

Lee
0
Lee
5/30/2018 8:41:01 PM
On 30/05/2018 21:48, EE wrote:

> What is ROP?  I found 4 possible expansions for that abbreviation.

https://en.wikipedia.org/wiki/Return-oriented_programming
0
Mason83
5/31/2018 8:28:53 PM
Reply: