Firefox will block DLL Injections - gHacks Tech News

Firefox will block DLL Injections

Mozilla Firefox will soon block the injection of DLLs by antivirus applications and other third-party programs in an effort to improve stability, security, and privacy.

Antivirus applications on Windows and other third-party applications, e.g. other security software or PDF tools, may inject DLLs in the browser. These injections are known to cause stability issues for users.

Mozilla follows Google which started to block third-party code injections in Google Chrome in 2018. Google discovered that Chrome installations with third-party DLL injection crashed 15% more than Chrome installations without.

Mozilla started to investigate options to disable DLL injections in Firefox in the fourth quarter of 2016 but things picked up speed only recently.

Firefox Nightly, the cutting edge version of the Firefox browser, blocks DLL injections already. The feature will be integrated in Beta and Release versions of the Firefox browser when they hit version 66.

Firefox Beta will hit version 66 on January 29, 2019, and Firefox Stable version 66 on March 19, 2019 according to the release schedule.

How do you know whether the protective feature is enabled already? That's easy. Just open about:support in the browser's address bar and check the Launcher Process listing near the top.

firefox launcher process dll injection

If it states enabled it is active; if it states disabled or is not present, it is inactive.

Firefox users can disable the feature currently and it is likely that the turn-off option remains a feature in Beta and Stable as well.

Go to about:config?filter=browser.launcherProcess.enabled to display the preference in Firefox. Note that the link returns the preference only if it exists.

Double-click on it to set it to True or False. True means that the launcher process is enabled, False that it is disabled. Firefox blocks DLL Injections by third-party applications if the preference is set to true.

firefox launcher process

Firefox users (and Chrome users) may experience issues with their browsers or applications that attempt to inject DLLs into the browsers. Third-party developers may need to update their applications to remove the DLL injecting components from the applications or exclude browsers that block these attempt anyway.

Closing Words

DLL injections have always caused stability issues on Windows; Google discovered a 15% more crashes in Chrome browsers with DLL injections than without. Mozilla did not reveal any statistics but it is likely that the figure is in the same region. (via Techdows)

Summary
Firefox will block DLL Injections
Article Name
Firefox will block DLL Injections
Description
Mozilla Firefox will soon block the injection of DLLs by antivirus applications and other third-party programs in an effort to improve stability, security, and privacy.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Graham said on January 21, 2019 at 8:16 pm
    Reply

    Fine by me. Most AV applications are bad for your computer, anyway.

    1. Russian Bot 289103284782171 said on January 22, 2019 at 4:41 pm
      Reply

      Mostly when multiple iterations are present. It worked and was required in the mid 2000’s to have an A/V and a seperate spyware/malware tool, but they blurred the lines and there’s no such thing, as a malware/spyware tool that doesn’t think it’s also an A/V.

      Freakin browsers are also getting annoying, mining software downloads being blocked due to “danger”, so much, I have to wget them in my vps shell, :rolls eyes:

      The best thing to do to check for malware/viruses on a windows partition? Boot up with a Linux distro on a usb or disc and then run ClamAV over the windows partition…you’ll find things others can’t find due to windows locking folders and “C:” …but of course that’s a feature, not a bug..heh.

  2. Eaglenik said on January 21, 2019 at 8:48 pm
    Reply

    Great addition for privacy and control over the browser !

  3. Haakon said on January 21, 2019 at 9:11 pm
    Reply

    I wonder what this bodes for programs, AV or otherwise, for Firefox users. It’s been my go-to browser since it was Phoenix.

    Drilling 64.0.2 under Win7 with Sysinternals’ Process Explorer, current injections are for QFX KeyScrambler, Malwarebytes Anti-Exploit and i7-3770K Graphics.

    The graphics drivers, Shader Compiler (for acceleration) and the User Mode itself, would be a critical cause for concern.

    As well, the other two have presented stable and competent service for countless users for many years.

    I’m trying to envision this policy without some kind of certification construct from Mozilla to allow for such programs or an “under the hood” method for power users to do so. Other than a false setting for the pref. But if that’s what it takes, false it is.

  4. Ionut said on January 21, 2019 at 9:14 pm
    Reply

    No it will not.
    This feature has been in the works for months. It is not slated for a wide release. It’s WIP. The Indian blog is wrong. Check the bug Moz bug tracker.

  5. Alex said on January 21, 2019 at 9:20 pm
    Reply

    Stability is one thing (depends on both FF and the 3rd-party product), but how preventing ALL security software to work with Firefox is supposed to improve security is beyond me… unless Mozilla plans to turn Firefox into an A/V suite as well?

    1. Anonymous said on January 22, 2019 at 4:22 am
      Reply

      What are all these deadly viruses and security threats you think you are experiencing with Firefox? LOL All you need is uBlock and if you’re extra paranoid NoScript. There are zero exploitable vulnerabilities in Firefox with those two extensions running. Future changes will make Firefox even more secure. Most attacks happened through Microsoft’s software and Flash, not Firefox.

      1. SpywareFan said on January 22, 2019 at 8:44 am
        Reply

        With only the great Gorhill extensions in nightmare mode and FF up to date you’re not totally protected, las year I’ve had two malware download attempts blocked by EIS (ESET) while visiting an hijacked tech site, google safecensorship demonstrated to be totally useless and the attempted attack was no flash (never installed) or MS Win fault.

      2. Alex said on January 22, 2019 at 10:56 am
        Reply

        @Anonymous, first try to fully understand a comment then LOL. I am not experiencing “deadly viruses and security threats”. Security is about prevention. A good 3rd-party security product offers a maintained and up to date threat database that not always free filter lists and extensions like uBlock will be able to match. That’s not to say they are not good.

        What’s more, Google/Mozilla have indicated that content-blocking extensions (like uBlock etc.) will be restricted too even more, in the future. I’d love to see your updated LOL comment, then.

        Leaving everything (including non browsing-related functions) up to a browser riddled with corporate restrictions is my concern.

      3. John Fenderson said on January 22, 2019 at 8:14 pm
        Reply

        @Anonymous: “There are zero exploitable vulnerabilities in Firefox with those two extensions running.”

        There is no such thing as complex network-facing software with “zero exploitable vulnerabilities”, period.

  6. Tom Hawack said on January 21, 2019 at 11:15 pm
    Reply

    “Google discovered a 15% more crashes in Chrome browsers with DLL injections than without.”
    But what about the worst avoided by wise DLL injections?

    As @Alex mentioned it, above, blocking worthy DLL injections performed by security software logically puts a new responsibility on the browser’s shoulders, one of those which is not really that of a browser : combating the Wild Wild Web’s villains’ viruses and other petty acts.

    I have no idea about the balance result. Curious.

  7. Tony said on January 22, 2019 at 3:46 am
    Reply

    It would be good if they named it something more understandable and useful than “Launcher process”.

  8. Anonymous said on January 22, 2019 at 4:25 am
    Reply

    This is not strictly for antivirus but also for download managers. Now that Flashgot is impossible to create in WebExtension, the only thing to forward the download is by using the DLL extension.
    This is truly the end of Firefox.

  9. AnorKnee Merce said on January 22, 2019 at 6:02 am
    Reply

    I think this browser crashing problem occurs mainly because ignorant users enable the AV features that filter or shield their web-browsing, eg from visiting known harmful websites. These extra AV features are mostly redundant because browsers and search engines themselves filter out known harmful websites.
    .
    Web-surfers are supposed to use a non-Admin account, be vigilant and careful about visiting websites, downloading files, opening email file attachments, opening links, etc. AV programs do not prevent user gullibility, foolishness, carelessness, greed(eg downloading pirated stuffs), etc.

  10. Anonymous said on January 22, 2019 at 6:38 am
    Reply

    Most A/V’s are spying on you – more like competition for Google and Mozilla just followed along as it aligned with their interests. If you really want to stop viruses from the web then just turn off JavaScript and block all downloads (sandbox users).

    1. Alex said on January 22, 2019 at 10:59 am
      Reply

      @Anonymous, and allow Google/Mozilla to spy on you exclusively. Great advice. Also, break half the Internet with turning JS off. Brilliant.

      1. John Fenderson said on January 23, 2019 at 1:49 am
        Reply

        @Alex: “break half the Internet with turning JS off. Brilliant.”

        By “internet”, I think you mean “the web”.

        I keep JS turned off for the most part. It doesn’t break half the web, really. And, mostly, the parts of the web that do break also happen to be the parts that are easy for me to do without. I do have to make a few exceptions — but even then, I only enable specific JS scripts, not JS in general.

  11. ilev said on January 22, 2019 at 9:40 am
    Reply

    Edge blocks DLL injections.
    I use KAV and disabled code injections into Chrome.

    https://forum.kaspersky.com/index.php?/topic/400605-google-chrome-wants-kaspersky-removed-from-pc-merged/

  12. AnorKnee Merce said on January 22, 2019 at 10:14 am
    Reply

    AV programs should not be messing with the internals of browsers since most browsers, search engines and email service providers already filter/shield against harmful websites/links.

  13. Anonymous said on January 24, 2019 at 3:48 am
    Reply

    I use Norton Security Suite version 22.16.3.21 and Malwarebytes version 3.5.1.2522.

    Using Process Explorer > View > Lower Pane View > DLLs, I observe the following in the main process of the 64-bit version of Firefox 64.0:

    mbae64.dll – Malwarebytes Anti-Exploit (Malwarebytes Corporation)
    ccLib.dll – Symantec Library (Symantec Corporation) (also injected into explorer.exe)
    ccVrTrst.dll- Symantec Trust Validation Engine 64 bit (Symantec Corporation) (also injected into explorer.exe)
    EFACli64.dll – Symantec Extended File Attributes (Symantec Corporation) (also injected into explorer.exe)
    spifc.dll – Symantec Platform Component Library (Symantec Corporation)
    IPSEng64.dll – IPS Script Engine DLL (Symantec Corporation)

    The Malwarebytes DLL injection can be mitigated (but you lose Malwarebytes protection) by toggling the “Mozilla Firefox (and add-ons)” Protection button to Off from Malwarebytes Main Menu > Settings > Protection tab > Real-Time Protection > Manage Protected Applications. Firefox does not need to be restarted – you can watch the DLL being removed/added in real-time via the Process Explorer display.

    Injection of the Symantec IPS Script Engine DLL apparently started in August 2014 as a replacement for the Norton Vulnerability Protection Browser Helper Object (BHO). See https://community.norton.com/en/comment/7013821#comment-7013821

    Turning off Norton’s SONAR Protection, Auto-Protect, and Boot Time Protection for 15 minutes did not dynamically remove their injected DLLs.

    I hope that Symantec provides a way for users to control injection of DLLs into Firefox (or as stated in the article “exclude browsers that block these attempt anyway”), or that Mozilla provides a whitelisting capability, so that both products can peacefully co-exist and so users don’t have to switch browsers and/or anti-virus products.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.