[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] Re: [Tor Bug Tracker] #1115: jqnotify.exe starting with tbb-firefox.exe

#1115: jqnotify.exe starting with tbb-firefox.exe
-------------------------------------------+--------------------------------
  Reporter:  Sandy                         |       Owner:  phobos  
      Type:  defect                        |      Status:  closed  
  Priority:  minor                         |   Milestone:          
 Component:  Tor-Tor bundles/installation  |     Version:  0.2.1.19
Resolution:  fixed                         |    Keywords:          
-------------------------------------------+--------------------------------
Changes (by phobos):

  * status:  assigned => closed
  * resolution:  None => fixed


Old description:

> Java Quick Starter...
>
> When Tor Browser Bundle starts and tbb-firefox.exe loads, tbb-firefox.exe
> scans the host registry for installed Add-Ons
> at the following locations[1]:
>
> HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\
>
> HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\
>
> If Java Plantform is installed on the host system it writes a registry
> value to one, or both, of those of those keys.
> The registry value is the plugin "Java Quick Starter", and the value is
> named "jq@xxxxxxx".  The hard path to the file
> is "C:\Program Files\Java\jre6\lib\deploy\jqs\ff".
>
> Those two registry keys have been vectors for malware attacks to firefox
> via. add-ons in the past[1]...
>
> Using the Sysinternals application "Process Explorer" one can watch in
> real-time as the file "jqnotify.exe" is called by
> tbb-firefox.exe.  One needs to pay attention, because it loads and then
> closes in a second or two.  I apply this setting
> in Process Explorer "View > Show New Process" so each new process called
> gets a highlighted color, makes seeing the files
> sudden appearance easier.  I am unsure how far back this has been a
> problem with Java Platform, version wise.  But it's
> been a problem for while at least.
>
> When I start TBB in a sandbox I used to get errors about "jsnotify.exe"
> trying to access the "internet".  Well, if I
> am correct, and I could be wrong, jsnotify.exe doesn't connect to the
> internet, but does try to access the pipe
> "\Device\Afd\Endpoint".  That is when it hits the sandbox walls facing
> the internet.
>
> To fix this I just prevent any application within the sandbox from
> reading those two keys.  Maybe someone can hack the
> firefoxportable which ships with TBB so it won't read those two keys?
> That seems like a good solution, though I have
> no idea if it's 'hard' to accomplish or not.
>
> From what Phobos said last night, TBB currently disables the "Java Quick
> Starter" Add-On in firefoxportable.  But,
> uninstalling the Add-On is not possible, it's always grayed out.  That is
> a trick by Java Platform to prevent the
> removal of their Add-On.  If a user wants to remove the Add-On from their
> registry all they do is delete the value
> "js@xxxxxxx" and then configure the Java GUI to not load Java Quick
> Starter.  OTOH, simply deleting the registry
> value "js@xxxxxxx" might be enough, I'll try to see if I can get Java to
> reinstall the Add-On into my registry and play
> with it a bit more.
>
> Here are some relevant threads from Mozilla and other pieces of
> background info, etc:
>

> http://support.mozilla.com/tiki-
> view_forum_thread.php?locale=lt&comments_parentId=362460&forumId=1
>

> http://forums.mozillazine.org/viewtopic.php?f=38&t=921325&sid=515e4e29b64ba8c12e52c5ce15504d40
>

> Good forum post with registry info on removing the Java Add-on:
> http://forums.mozillazine.org/viewtopic.php?p=4837715#p4837715
>
> [1] http://kb.mozillazine.org/Uninstalling_add-
> ons#Windows_Registry_extension
>
> Contact me at IRC if you need more info.  I should be around the next few
> days at least.
>
> [Automatically added by flyspray2trac: Operating System: Windows 2k/XP]

New description:

 Java Quick Starter...

 When Tor Browser Bundle starts and tbb-firefox.exe loads, tbb-firefox.exe
 scans the host registry for installed Add-Ons
 at the following locations[1]:

 HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\

 HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\

 If Java Plantform is installed on the host system it writes a registry
 value to one, or both, of those of those keys.
 The registry value is the plugin "Java Quick Starter", and the value is
 named "jq@xxxxxxx".  The hard path to the file
 is "C:\Program Files\Java\jre6\lib\deploy\jqs\ff".

 Those two registry keys have been vectors for malware attacks to firefox
 via. add-ons in the past[1]...

 Using the Sysinternals application "Process Explorer" one can watch in
 real-time as the file "jqnotify.exe" is called by
 tbb-firefox.exe.  One needs to pay attention, because it loads and then
 closes in a second or two.  I apply this setting
 in Process Explorer "View > Show New Process" so each new process called
 gets a highlighted color, makes seeing the files
 sudden appearance easier.  I am unsure how far back this has been a
 problem with Java Platform, version wise.  But it's
 been a problem for while at least.

 When I start TBB in a sandbox I used to get errors about "jsnotify.exe"
 trying to access the "internet".  Well, if I
 am correct, and I could be wrong, jsnotify.exe doesn't connect to the
 internet, but does try to access the pipe
 "\Device\Afd\Endpoint".  That is when it hits the sandbox walls facing the
 internet.

 To fix this I just prevent any application within the sandbox from reading
 those two keys.  Maybe someone can hack the
 firefoxportable which ships with TBB so it won't read those two keys?
 That seems like a good solution, though I have
 no idea if it's 'hard' to accomplish or not.

 From what Phobos said last night, TBB currently disables the "Java Quick
 Starter" Add-On in firefoxportable.  But,
 uninstalling the Add-On is not possible, it's always grayed out.  That is
 a trick by Java Platform to prevent the
 removal of their Add-On.  If a user wants to remove the Add-On from their
 registry all they do is delete the value
 "js@xxxxxxx" and then configure the Java GUI to not load Java Quick
 Starter.  OTOH, simply deleting the registry
 value "js@xxxxxxx" might be enough, I'll try to see if I can get Java to
 reinstall the Add-On into my registry and play
 with it a bit more.

 Here are some relevant threads from Mozilla and other pieces of background
 info, etc:


 http://support.mozilla.com/tiki-
 view_forum_thread.php?locale=lt&comments_parentId=362460&forumId=1


 http://forums.mozillazine.org/viewtopic.php?f=38&t=921325&sid=515e4e29b64ba8c12e52c5ce15504d40


 Good forum post with registry info on removing the Java Add-on:
 http://forums.mozillazine.org/viewtopic.php?p=4837715#p4837715

 [1] http://kb.mozillazine.org/Uninstalling_add-
 ons#Windows_Registry_extension

 Contact me at IRC if you need more info.  I should be around the next few
 days at least.

 [Automatically added by flyspray2trac: Operating System: Windows 2k/XP]

--

Comment:

 this hasn't happen since 1.2.x.  in fact i could never recreate the
 problem. closing.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1115#comment:3>
Tor Bug Tracker <https://trac.torproject.org/>
The Tor Project: anonymity online