Re: [tor-talk] Flash executables keep starting in background when using TBB

On Tue, Jun 17, 2014 at 02:12:37PM -0500, Joe Btfsplk wrote:
> On 6/17/2014 12:33 PM, ÐÑÑÑÑ ÐÑÑÐÐÐÐ wrote:
> >On Tue, Jun 17, 2014 at 11:23:53AM -0500, Joe Btfsplk wrote:
> >>I'd still really like some help on finding what calls / causes the 2 flash
> >>.exe files to start in background.
> >>They're ALWAYS shown by Process Explorer, in the *same process tree -
> >>directly under TBB.*
> >>
> >>Is there a way to determine / log, *if another process is calling* those 2
> >>files, or if determine if TBB, or Flash, is calling the 2 files to start?
> >>Even though _no Flash vids are ever played_.  Below - Some additional
> >>replies to previous comments.
> >I can't reproduce your problem. There are two legitimate flash-player
> >processes under firefox (not tor's firefox).
> >
> >1. Update your system. Update flash-player (there is version 14
> >already). Update tor-browser if not already. Run antivirus. Reboot.
> >
> >2. Do not run any software. Run only tor-browser. Make sure flash-player
> >disabled in settings. Go to https://helpx.adobe.com/flash-player.html
> >Click "Check Now" (Not installed? Good.)
> >
> >3. Run Process Explorer. Make screenshot with tor process and upload it
> >for us.
> >
> Are you saying you have Flash processes running under Fx (not TBB)?
> 1) Did you use Flash player in Fx, that would have started them, or do you
> not know what started them?

It was started after visiting https://helpx.adobe.com/flash-player.html
and clicking "Check Now"

> 2) Updating Flash: this has existed _over many Flash & TBB versions_. Each
> Flash ver. is completely uninstalled, before installing new one.
> Each TBB version is installed to new folder. An infection is very low
> probability. No other signs & AV doesn't detect anything.
> Besides, AFAIK, the Flash files just sit there. They show a very few I/O
> bytes after starting, then nothing - for hours after the starting time
> stamp.

I tested in virtual machine with almost clean installed Windows 7. 
Can't reproduce.

> 3) Yeah, I'd be happy to upload a Process Explorer screen - not sure I can
> do that, unless the list *will allow jpg attachments?* Will it?

any image hosting, dropbox, zalil.ru
> 4) It's been very hard to predict or catch the Flash files starting. When I
> try visiting sites w/ Flash content that might start them, they don't start
> (short of playing Flash content, which I never do in TBB).
> It hasn't happened in last several days of using TBB.
> 5) >"/Do not run any software. Run only tor-browser/"
> That would mean a *long time* w/o use of my computer - possibly days, weeks.
> It's not like it happens within 30 min. (or at all), every time I use TBB.
> It does not happen every TBB session. When I catch the files running, I've
> tried re-visiting pages I may have visited recently, w/o success at
> reproducing it.
> But, sometimes the files have been running a good while & revisiting every
> single page PLUS *repeating exact navigation / clicks* on all pages may be
> nearly impossible.
> That's why I'm here. If it was easily & quickly reproducible, I probably
> wouldn't need to ask for help.
> I have no proof yet, but one theory is some websites could have java script,
> or 3rd parties - that NoScript somehow doesn't block.
> I generally don't leave "Scripts globally allowed" enabled. That doesn't
> mean something can't slip by.
> Occasionally, sites require js from their base domain to even load or
> navigate a page. If you enable it, there could? be code, that tries to start
> Flash player, to automatically load or play some content.
> I'm just guessing.

It is all possible. But it is serious security bug.

There are two instances firefox.exe in Process Explorer if you run 
ordinary firefox and tor-browser. One - Mozilla Firefox, second - 
Tor Firefox. Both named firefox.exe and differ in icons. First has 
descendants - plugin-container.exe and flash players, if you visit 
page with flash. Second - one descendant - tor.exe. Can be in this 
confusion? Maybe you confused these two processes and their respective
