jqnotify.exe starting with tbb-firefox.exe
Java Quick Starter...
When Tor Browser Bundle starts and tbb-firefox.exe loads, tbb-firefox.exe scans the host registry for installed Add-Ons at the following locations[1]:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\
HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\
If Java Plantform is installed on the host system it writes a registry value to one, or both, of those of those keys.
The registry value is the plugin "Java Quick Starter", and the value is named "jq@sun.com". The hard path to the file
is "C:\Program Files\Java\jre6\lib\deploy\jqs\ff".
Those two registry keys have been vectors for malware attacks to firefox via. add-ons in the past[1]...
Using the Sysinternals application "Process Explorer" one can watch in real-time as the file "jqnotify.exe" is called by tbb-firefox.exe. One needs to pay attention, because it loads and then closes in a second or two. I apply this setting in Process Explorer "View > Show New Process" so each new process called gets a highlighted color, makes seeing the files sudden appearance easier. I am unsure how far back this has been a problem with Java Platform, version wise. But it's been a problem for while at least.
When I start TBB in a sandbox I used to get errors about "jsnotify.exe" trying to access the "internet". Well, if I am correct, and I could be wrong, jsnotify.exe doesn't connect to the internet, but does try to access the pipe "\Device\Afd\Endpoint". That is when it hits the sandbox walls facing the internet.
To fix this I just prevent any application within the sandbox from reading those two keys. Maybe someone can hack the firefoxportable which ships with TBB so it won't read those two keys? That seems like a good solution, though I have no idea if it's 'hard' to accomplish or not.
From what Phobos said last night, TBB currently disables the "Java Quick Starter" Add-On in firefoxportable. But, uninstalling the Add-On is not possible, it's always grayed out. That is a trick by Java Platform to prevent the removal of their Add-On. If a user wants to remove the Add-On from their registry all they do is delete the value "js@sun.com" and then configure the Java GUI to not load Java Quick Starter. OTOH, simply deleting the registry value "js@sun.com" might be enough, I'll try to see if I can get Java to reinstall the Add-On into my registry and play with it a bit more.
Here are some relevant threads from Mozilla and other pieces of background info, etc:
http://support.mozilla.com/tiki-view_forum_thread.php?locale=lt&comments_parentId=362460&forumId=1
http://forums.mozillazine.org/viewtopic.php?f=38&t=921325&sid=515e4e29b64ba8c12e52c5ce15504d40
Good forum post with registry info on removing the Java Add-on: http://forums.mozillazine.org/viewtopic.php?p=4837715#p4837715
[1] http://kb.mozillazine.org/Uninstalling_add-ons#Windows_Registry_extension
Contact me at IRC if you need more info. I should be around the next few days at least.
[Automatically added by flyspray2trac: Operating System: Windows 2k/XP]
Trac:
Username: Sandy