Under which circumstances would Firefox start childprocesses ?
Under which circumstances would Firefox spawn child processes ??? Firefox starts 3 child processes, when I access a certain website (I use procexp.exe to watch my box), how is this possible?? (I had started in safe mode!)
I'm scared, that it is a hacker attack, this is why I kill it as soon as it shows up. Unfortuately I did not even give my eyes enough time to memorize the child process name. The only things I remember are: It starts 3 child processes simultaneously named "fm'something'.exe with no company name or decription. The child processes immediatey start another child, which was also an exe file, shows the company name "Microsoft". I looked into system32, hoping one of the name would trigger :"that was the one", but nothing came up.
Any hint appreciated, Dietmar
All Replies (8)
hi, firefox is a multi-process application: https://blog.mozilla.org/futurereleases/2016/08/02/whats-next-for-multi-process-firefox/ i don't think that what you saw is anything unusual or even cause for concern...
This I know, but it does not explain 1) why is the child process not a Mozilla signed executable ? 2) why would it start only on accessing a specific site and no other site ? 3) why would it start the same child process 3 times, if not to prevent the user from killing all 3 before they have done something (harmful) ?
If you know more, then tell me, which are the exe files, which it would legitimately spawn. e.g. it does spawn update.exe and itself, when you update Firefox.
legitimate firefox processes would all be called firefox.exe and be digitally signed by mozilla. the flash plugin's protected mode would be one reason why multiple processes open when you navigate to a particular page (plugin-container.exe is no longer present in recent firefox versions an is now also executed as firefox.exe) : https://blogs.adobe.com/security/2012/06/inside-flash-player-protected-mode-for-firefox.html
Then, what I observe, is indeed a sucessful hacking attack and it means THERE IS A SECURITY LEAK in Firefox 53.0.2 !
Obviously this site is capable to make my Firefox start a child process not signed by Mozilla. B.t.w. the flash plugin, actually all plugins were set to "never activate". If I need to display flash content I enable the VLC plugin.
Can someone from Mozilla give me a debug version, which would log all creations of child processes with the full string of the child process' executable? Or even better ask me for confirmation before starting any child process ???
Modified
what site is this happening on - can you provide a screenshot of procexp once this happens?
Send me an email (just made it public for now in my profile) and I tell you in private. I can't give you a screenshot without allowing the child processes to persist for more than a second. I won't take that risk. It takes me already a human reaction time to get the cursor to procexp window and do the shift del, when I see them coming up. They don't come after a UI interaction on the browser. They come up seemingly unrelated to mouse movement or keyboard input. Wish I had a patrol agent installed to kill them automatically with a PSL script, the I could give you the full text of the "ps" output. But I don't work for BMC Software any more, I'm retired. Considering that the childprocess mentioned an .exe name, I ran a full virus check with Avast, but it did not find anything.
Modified
if you can't share the information openly here, i don't think this is the right venue to debug the issue in the first place (also support.mozilla.org is a users helping users forum).
instead, please go to bugzilla.mozilla.org and file a bug report, which you can mark as security sensitive so it will be restricted to mozilla's security people at first - please include as much information to reproduce the issue as possible there, because the information we have in the thread here doesn't contain much actionable information to go on yet. thank you!
Have you never gone to sites, which you don't want the whole world to know about ? Ok, then I will set my email in my profile to private again. Bye