Opened 11 years ago

Closed 10 years ago

#1115 closed defect (fixed)

jqnotify.exe starting with tbb-firefox.exe

Reported by: Sandy Owned by: phobos
Priority: Low Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords:
Cc: Sandy Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by phobos)

Java Quick Starter...

When Tor Browser Bundle starts and tbb-firefox.exe loads, tbb-firefox.exe scans the host registry for installed Add-Ons
at the following locations[1]:



If Java Plantform is installed on the host system it writes a registry value to one, or both, of those of those keys.
The registry value is the plugin "Java Quick Starter", and the value is named "jq@…". The hard path to the file
is "C:\Program Files\Java\jre6\lib\deploy\jqs\ff".

Those two registry keys have been vectors for malware attacks to firefox via. add-ons in the past[1]...

Using the Sysinternals application "Process Explorer" one can watch in real-time as the file "jqnotify.exe" is called by
tbb-firefox.exe. One needs to pay attention, because it loads and then closes in a second or two. I apply this setting
in Process Explorer "View > Show New Process" so each new process called gets a highlighted color, makes seeing the files
sudden appearance easier. I am unsure how far back this has been a problem with Java Platform, version wise. But it's
been a problem for while at least.

When I start TBB in a sandbox I used to get errors about "jsnotify.exe" trying to access the "internet". Well, if I
am correct, and I could be wrong, jsnotify.exe doesn't connect to the internet, but does try to access the pipe
"\Device\Afd\Endpoint". That is when it hits the sandbox walls facing the internet.

To fix this I just prevent any application within the sandbox from reading those two keys. Maybe someone can hack the
firefoxportable which ships with TBB so it won't read those two keys? That seems like a good solution, though I have
no idea if it's 'hard' to accomplish or not.

From what Phobos said last night, TBB currently disables the "Java Quick Starter" Add-On in firefoxportable. But,
uninstalling the Add-On is not possible, it's always grayed out. That is a trick by Java Platform to prevent the
removal of their Add-On. If a user wants to remove the Add-On from their registry all they do is delete the value
"js@…" and then configure the Java GUI to not load Java Quick Starter. OTOH, simply deleting the registry
value "js@…" might be enough, I'll try to see if I can get Java to reinstall the Add-On into my registry and play
with it a bit more.

Here are some relevant threads from Mozilla and other pieces of background info, etc:

Good forum post with registry info on removing the Java Add-on:


Contact me at IRC if you need more info. I should be around the next few days at least.

[Automatically added by flyspray2trac: Operating System: Windows 2k/XP]

Child Tickets

Change History (3)

comment:1 Changed 11 years ago by Sandy

A bit more:

I forgot to say that jsnotify.exe could be trying to access other internet \Device\Tcp. I can found out soon. I had
jsnotigy.exe on a white list for \Device\Tcp, but not \Device\Afd. That is how I just happen to find this issue with
TBB. I always assumed this could not happen because the Add-On is disabled by default (I believe that's true for TBB).

comment:2 Changed 11 years ago by phobos

With TBB 1.2.9, I don't see this occurring on my test machine. jsnotify isn't called according to process explorer.
I'm still investigating.

comment:3 Changed 10 years ago by phobos

Description: modified (diff)
Resolution: Nonefixed
Status: assignedclosed

this hasn't happen since 1.2.x. in fact i could never recreate the problem. closing.

Note: See TracTickets for help on using tickets.