Another Reason Not To Use Secure All Protected Browsers Mode.

itman · November 5, 2022

If you do and your browser is Firefox, your Win Security-Mitigations event log - kernel mode will be full of the following blocked entries;

cofer123 · November 5, 2022

I love it when third-party software decides to meddle with browsers. It always ends well.

Edited November 5, 2022 by cofer123

Marcos · November 5, 2022

I've asked BPP developers to comment on it. It may not be necessarily a negative message indicating issues with Firefox I assume, however.

itman · November 5, 2022

It gets better.

I opened a stand alone B&PP session via its Eset desktop icon to perform a purchase from a web site I frequent often. I went directly to the web site and stayed on it during the entire session. No less than 39 of the above posted Security-Mitigations log entries were created.

Now this is very weird. The Firefox PID for each alert was a different number. Yes, Firefox generates multiple sub-processes. But not 39 of them ......................

Also, with ver. 16, Firefox is generating Security-Mitigations log entries that the .dll's Eset injects are not validly Microsoft code signed. However, it does allow the .dll's to be injected. This might have something to do with these Win32k.sys blocks.

Edited November 5, 2022 by itman

itman · November 5, 2022

Here's a "deep dive" into win32K.sys: https://www.i.u-tokyo.ac.jp/edu/training/ss/lecture/new-documents/Lectures/17-Win32K/Win32K.pdf .

Of note is its interfacing with keyboard drivers.

Marcos · November 5, 2022

This is from a system where ESET or other AV has never been installed:

Process '\Device\HarddiskVolume2\Users\Admin\AppData\Local\Programs\Opera\opera.exe' (PID 7352) was blocked from making system calls to Win32k.sys.

itman · November 5, 2022

1 hour ago, Marcos said:

This is from a system where ESET or other AV has never been installed:

Process '\Device\HarddiskVolume2\Users\Admin\AppData\Local\Programs\Opera\opera.exe' (PID 7352) was blocked from making system calls to Win32k.sys.

You're really trying hard here to justify the bork.

Yes, I have seen the alert for other processes; namely an Adobe Reader process.

I have in the past seen a couple of infrequent ones from Firefox on occasion. However, my Security-Mitigations event log was never bombarded with this alert which again, only show en mass while secured browser mode is active.

Edited November 5, 2022 by itman

Purpleroses · November 5, 2022

itman I have noticed this when I use to just used the banking redirect. But with secure all browsers I'm seeing a number of these also. So do we keep the secure all browsers enable or can we disable it?

constexpr · November 5, 2022

From my first quick analysis, this problem was there also before Secure All Browsers was enabled in v16, as Purpleroses noted, it happen when Secure browser start even before v16 release.

Security-Mitigation logs arise when secured browser started and new renderer process (with limited privileges) call WinAPI, with passes through the Win32k.sys to kernel. From log "Process firefox.exe' (PID xxx) was blocked from making system calls to Win32k.sys." is obvious, that this call was blocked (because of limited process privileges), so security of this process wasn't decreased, but system create mitigation log about it.

We will look at it with high priority, since then sorry for this increased number of Security-Mitigation events.

And itman, thanks for this report!

itman · November 5, 2022

58 minutes ago, Purpleroses said:

itman I have noticed this when I use to just used the banking redirect. But with secure all browsers I'm seeing a number of these also. So do we keep the secure all browsers enable or can we disable it?

The problem is the activity noted is being blocked while B&PP mode is in effect. If you have the secured all browsers option enabled, you will just get more of this block activity while in secure all browsers mode.

My main present concern is given the number of blocked events occurring is B&PP mode being compromised in any way?

We'll have to wait till Eset researches this more.

constexpr · November 5, 2022

36 minutes ago, itman said:

My main present concern is given the number of blocked events occurring is B&PP mode being compromised in any way?

We'll have to wait till Eset researches this more.

No, in Secure all browsers it just generate more logs, but BPP mode isn't more or less safe than before. No browser security, nor BPP hardening isn't affected.

Marcos · November 9, 2022

Banking and payment protection module 1287 is going to be released soon which will mitigate Security-Mitigations reports. Thank you for the heads-up.

Purpleroses · November 9, 2022

Marco so what does mitigate security mitigations mean?

Marcos · November 9, 2022

41 minutes ago, Purpleroses said:

Marco so what does mitigate security mitigations mean?

I mean that the Security-Mitigations log won't be filled with reports when Firefox, Edge or Chrome run with "Secure all browsers" enabled.

constexpr · November 16, 2022

BPP module with Security-Mitigations reports fix is fully released. Please check, if it helps also in your environment.

If you will encounter similar (or any) issue in the future, just let us know. We are here for you.

Sign In

Another Reason Not To Use Secure All Protected Browsers Mode.

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics