Jump to content

Disturbing B&PP Behavior


Recommended Posts

Trusting no one or anything when it comes to on-line banking, my standard procedure using B&PP is to check FireFox cache at its startup and to clear the cache prior to B&PP shutdown.

This afternoon, I start B&PP via desktop icon option. Note I have B&PP option to protect all browsers disabled. I check FireFox cache and it shows 14 MB. Err...tha's not right. I clear the cache and proceed with the B&PP session.

At end of the B&PP session, I check my User Temp file and there is a  newly created 14MB file named tempaddon. I submit it to VT: https://www.virustotal.com/gui/file/32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 . VT states its a .zip file masquerading as a Chrome extension. The .zip file also contains a Win PE in it. Err ........... what? The .zip file is named 4.10.2710.0-win-x64.zip which interestingly VT originally showed before changing the detection to tempaddon.

First, how was a alias Chrome extension created in Firefox in B&PP mode and why was it apparently allowed to load since B&PP is supposed to block all extensions from loading?

tmpaddon.zip

Edited by itman
Link to comment
Share on other sites

A bit more research yields the following.

Both in normal and B&PP Firefox mode, five add-on exceptions existed. They all appear to be Mozilla related with two of them for Private mode. I certainly didn't create these exceptions. I deleted all these exceptions and doing so doesn't appear to impact FF. Also, the exceptions have not reappeared.

Link to comment
Share on other sites

Getting closer ..........

The tmpaddon file is related to media DRM processing as noted here: https://forum.puppylinux.com/viewtopic.php?t=5454 . The problem is its related to Linux and not Windows as best as I can determine. Also, this file only shows up in B&PP mode and not regular Firefox mode.

-Correction- Firefox uses Google's WideVine plug-in: https://www.widevine.com/ . Notable is the number of times WideVine has been exploited;

Quote

Widevine has been exploited multiple times. Researchers at Ben-Gurion University of the Negev discovered a vulnerability in Widevine in June 2016; the vulnerability allowed users to obtain a decrypted version of protected content in cache.[57]

In January 2019, security researcher David Buchanan claimed to have broken Widevine L3 through a differential fault analysis attack in Widevine's white-box implementation of AES-128, allowing Buchanan to retrieve the original key used to encrypt a stream. The MPEG-CENC stream could then be decrypted using ffmpeg.[58][59] A similar vulnerability was exploited in October 2020.[60]

https://en.wikipedia.org/wiki/Widevine

The question still remains why tmpaddon fle showed up after a B&PP session. The date of last update of the plug-in was 10/13.

Edited by itman
Link to comment
Share on other sites

5 hours ago, itman said:

The question still remains why tmpaddon fle showed up after a B&PP session. The date of last update of the plug-in was 10/13.

Got this straightened out although I don't like what I am seeing.

Eset creates a separate Firefox profile for B&PP use. The Google WideVine plug-in updated yesterday on the B&PP Firefox profile. Why it took six days to do so is beyond me. I had used B&PP after 10/13. Also not explained is why the update was sitting in FireFox's cache with tmpaddon file created in user Temp directory.

Link to comment
Share on other sites

  • ESET Staff

BPP doesn't block Widevine plugin neither in SecureAllBrowsers mode, nor in isolated browser (BPP running from desktop shortcut). Use of this plugin is part of Firefox default settings. If you don't plan to watch Netflix in BPP, you can disable it in your Firefox settings > General > Digital Rights Management (DRM) Content - uncheck Play DRM-controlled content

https://support.mozilla.org/en-US/kb/enable-drm

And why the update was sitting in Firefox's cache the way you mentioned? When it's not blocked by ESET, it's upon Firefox to handle plugin/cache/update based on their implementation.

Link to comment
Share on other sites

13 hours ago, constexpr said:

If you don't plan to watch Netflix in BPP, you can disable it in your Firefox settings

You "beat me to the posting punch." I was just going to post this is exactly what I was going to do in Firefox settings for isolated browser mode.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...