itman 1,630 Posted October 19 Share Posted October 19 (edited) Trusting no one or anything when it comes to on-line banking, my standard procedure using B&PP is to check FireFox cache at its startup and to clear the cache prior to B&PP shutdown. This afternoon, I start B&PP via desktop icon option. Note I have B&PP option to protect all browsers disabled. I check FireFox cache and it shows 14 MB. Err...tha's not right. I clear the cache and proceed with the B&PP session. At end of the B&PP session, I check my User Temp file and there is a newly created 14MB file named tempaddon. I submit it to VT: https://www.virustotal.com/gui/file/32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 . VT states its a .zip file masquerading as a Chrome extension. The .zip file also contains a Win PE in it. Err ........... what? The .zip file is named 4.10.2710.0-win-x64.zip which interestingly VT originally showed before changing the detection to tempaddon. First, how was a alias Chrome extension created in Firefox in B&PP mode and why was it apparently allowed to load since B&PP is supposed to block all extensions from loading? tmpaddon.zip Edited October 19 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 20 Author Share Posted October 20 A bit more research yields the following. Both in normal and B&PP Firefox mode, five add-on exceptions existed. They all appear to be Mozilla related with two of them for Private mode. I certainly didn't create these exceptions. I deleted all these exceptions and doing so doesn't appear to impact FF. Also, the exceptions have not reappeared. micasayyo 1 Quote Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 20 Author Share Posted October 20 (edited) Getting closer .......... The tmpaddon file is related to media DRM processing as noted here: https://forum.puppylinux.com/viewtopic.php?t=5454 . The problem is its related to Linux and not Windows as best as I can determine. Also, this file only shows up in B&PP mode and not regular Firefox mode. -Correction- Firefox uses Google's WideVine plug-in: https://www.widevine.com/ . Notable is the number of times WideVine has been exploited; Quote Widevine has been exploited multiple times. Researchers at Ben-Gurion University of the Negev discovered a vulnerability in Widevine in June 2016; the vulnerability allowed users to obtain a decrypted version of protected content in cache.[57] In January 2019, security researcher David Buchanan claimed to have broken Widevine L3 through a differential fault analysis attack in Widevine's white-box implementation of AES-128, allowing Buchanan to retrieve the original key used to encrypt a stream. The MPEG-CENC stream could then be decrypted using ffmpeg.[58][59] A similar vulnerability was exploited in October 2020.[60] https://en.wikipedia.org/wiki/Widevine The question still remains why tmpaddon fle showed up after a B&PP session. The date of last update of the plug-in was 10/13. Edited October 20 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 20 Author Share Posted October 20 5 hours ago, itman said: The question still remains why tmpaddon fle showed up after a B&PP session. The date of last update of the plug-in was 10/13. Got this straightened out although I don't like what I am seeing. Eset creates a separate Firefox profile for B&PP use. The Google WideVine plug-in updated yesterday on the B&PP Firefox profile. Why it took six days to do so is beyond me. I had used B&PP after 10/13. Also not explained is why the update was sitting in FireFox's cache with tmpaddon file created in user Temp directory. Quote Link to comment Share on other sites More sharing options...
ESET Staff constexpr 41 Posted October 21 ESET Staff Share Posted October 21 BPP doesn't block Widevine plugin neither in SecureAllBrowsers mode, nor in isolated browser (BPP running from desktop shortcut). Use of this plugin is part of Firefox default settings. If you don't plan to watch Netflix in BPP, you can disable it in your Firefox settings > General > Digital Rights Management (DRM) Content - uncheck Play DRM-controlled content https://support.mozilla.org/en-US/kb/enable-drm And why the update was sitting in Firefox's cache the way you mentioned? When it's not blocked by ESET, it's upon Firefox to handle plugin/cache/update based on their implementation. micasayyo 1 Quote Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 21 Author Share Posted October 21 13 hours ago, constexpr said: If you don't plan to watch Netflix in BPP, you can disable it in your Firefox settings You "beat me to the posting punch." I was just going to post this is exactly what I was going to do in Firefox settings for isolated browser mode. constexpr 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.