What's not to love about third-party software injecting itself into Firefox and causing crashes in the Rust standard library?
Third-party software can inject a DLL into firefox.exe that detours calls to NtOpenFile to monitor the use of this system call. Some of these third-party DLLs can assume that in any NtOpenFile call...
@evilpie Holy what now?
This walks like a social engineering attempt.
This swims like a social engineering attempt.
This quacks like a social engineering attempt.
@evilpie a crash is the _good_ outcome, surely? At least you find out about those immediately.
If the third-party implementation of NtOpenFile is ignoring the provided length parameter and instead looking for a terminating NUL, then a worse possibility is that you pass it a NUL-terminated pathname _longer_ than the length field, and then the security software looks at the file described by the longer name, but the real Windows API truncates it to the specified length and looks at a completely different file.
@evilpie Wait, antivirus software is injecting DLLs and not using the hooks that Windows provides for system call interception? So the AV code is running in the same address space as, and modifiable by, the suspected malware?
I’m used to AV software doing things that are vulnerable to decades-old attacks or weaken security, but this is incompetent even by those standards.
@david_chisnall @evilpie It is truly THAT bad. They claim they have a mandate to do that to best protect from web-based threats. All of this is obviously bad and wrong and causing way more harm than good.
And apparently none of them do integration tests with Firefox Beta or release candidate versions.
Tom Schuster
buherator
schrotthaufen
Andreas Grois
Simon Tatham
Fritz Adalis
agersant
David Chisnall (*Now with 50% more sarcasm!*)
Frederik Braun �