Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Under which circumstances would Firefox start childprocesses ?

  • 8 cavab
  • 1 has this problem
  • 1 view
  • Last reply by DietmarJH

more options

Under which circumstances would Firefox spawn child processes ??? Firefox starts 3 child processes, when I access a certain website (I use procexp.exe to watch my box), how is this possible?? (I had started in safe mode!)

I'm scared, that it is a hacker attack, this is why I kill it as soon as it shows up. Unfortuately I did not even give my eyes enough time to memorize the child process name. The only things I remember are: It starts 3 child processes simultaneously named "fm'something'.exe with no company name or decription. The child processes immediatey start another child, which was also an exe file, shows the company name "Microsoft". I looked into system32, hoping one of the name would trigger :"that was the one", but nothing came up.

Any hint appreciated, Dietmar

Under which circumstances would Firefox spawn child processes ??? Firefox starts 3 child processes, when I access a certain website (I use procexp.exe to watch my box), how is this possible?? (I had started in safe mode!) I'm scared, that it is a hacker attack, this is why I kill it as soon as it shows up. Unfortuately I did not even give my eyes enough time to memorize the child process name. The only things I remember are: It starts 3 child processes simultaneously named "fm'something'.exe with no company name or decription. The child processes immediatey start another child, which was also an exe file, shows the company name "Microsoft". I looked into system32, hoping one of the name would trigger :"that was the one", but nothing came up. Any hint appreciated, Dietmar

All Replies (8)

more options

hi, firefox is a multi-process application: https://blog.mozilla.org/futurereleases/2016/08/02/whats-next-for-multi-process-firefox/ i don't think that what you saw is anything unusual or even cause for concern...

more options

This I know, but it does not explain 1) why is the child process not a Mozilla signed executable ? 2) why would it start only on accessing a specific site and no other site ? 3) why would it start the same child process 3 times, if not to prevent the user from killing all 3 before they have done something (harmful) ?

If you know more, then tell me, which are the exe files, which it would legitimately spawn. e.g. it does spawn update.exe and itself, when you update Firefox.

more options

legitimate firefox processes would all be called firefox.exe and be digitally signed by mozilla. the flash plugin's protected mode would be one reason why multiple processes open when you navigate to a particular page (plugin-container.exe is no longer present in recent firefox versions an is now also executed as firefox.exe) : https://blogs.adobe.com/security/2012/06/inside-flash-player-protected-mode-for-firefox.html

more options

Then, what I observe, is indeed a sucessful hacking attack and it means THERE IS A SECURITY LEAK in Firefox 53.0.2  !

Obviously this site is capable to make my Firefox start a child process not signed by Mozilla. B.t.w. the flash plugin, actually all plugins were set to "never activate". If I need to display flash content I enable the VLC plugin.

Can someone from Mozilla give me a debug version, which would log all creations of child processes with the full string of the child process' executable? Or even better ask me for confirmation before starting any child process ???

Modified by DietmarJH

more options

what site is this happening on - can you provide a screenshot of procexp once this happens?

more options

Send me an email (just made it public for now in my profile) and I tell you in private. I can't give you a screenshot without allowing the child processes to persist for more than a second. I won't take that risk. It takes me already a human reaction time to get the cursor to procexp window and do the shift del, when I see them coming up. They don't come after a UI interaction on the browser. They come up seemingly unrelated to mouse movement or keyboard input. Wish I had a patrol agent installed to kill them automatically with a PSL script, the I could give you the full text of the "ps" output. But I don't work for BMC Software any more, I'm retired. Considering that the childprocess mentioned an .exe name, I ran a full virus check with Avast, but it did not find anything.

Modified by DietmarJH

more options

if you can't share the information openly here, i don't think this is the right venue to debug the issue in the first place (also support.mozilla.org is a users helping users forum).

instead, please go to bugzilla.mozilla.org and file a bug report, which you can mark as security sensitive so it will be restricted to mozilla's security people at first - please include as much information to reproduce the issue as possible there, because the information we have in the thread here doesn't contain much actionable information to go on yet. thank you!

more options

Have you never gone to sites, which you don't want the whole world to know about ? Ok, then I will set my email in my profile to private again. Bye