Heapspray Mitigation Detected from Flash Player

I'm running Sandboxie 4.02, EMET 4.0, and Firefox 22 with flash updated to whatever the latest is. EMET is using the "Popular Programs" configuration. I listen to a lot of music on Youtube and once a day (or every other day), I get a notification from EMET saying it detected a Heapspray mitigation from flash and closes flash player. If I refresh the page it might happen one or two more times before the video loads. I'm assuming there's an incompatibility here; I doubt someone is attempting to attack my computer daily(if they are, they aren't succeeding ). Is anyone else having any issues like this?

 

Wow! Though I can't say with certainty that I was being attacked, I'd like to think so. This means my setup is doing it's job! For all I know, I'm the one that alerted them to the problem because I always "Submit information" when it happens. I'd still like to know if anyone else has faced any compatibility issues with Flash though.

 

I had the same thing happen to me on a YouTube video (my niece said "you just have to see this video" ) using EMET 3.5, Sandboxie, Firefox, and Flash Player. When I got the Heap Spray notification from EMET I was was shocked to say the least.

Later...

 

Do you guys really think you're being "attacked" on YouTube? I'd say no. Certainly not with their Flash video player, and even the risk from any 3rd-party ads should be pretty low...?

I'd bet that Sandboxie is the problem! You both mentioned it, and I reported it over 10 months ago, but I don't know that tzuk ever really looked into it. I offered to help debug it using some sort of memory tool... My other EMET 3.x test Notifier can hang the program (waiting on MessageBox) so the program doesn't terminate right away (not sure if that would help for "examining" memory somehow!).

I've mostly had to disable HeapSpray... Or you can remove the heap_pages registry values (effectively same as disabling), since leaving any of the memory addresses will causes crashes for me after different amounts of time.

For me it's OK until about 4-5 days of a/the sandbox being active, then the HeapSpray crashes are almost constant.

I hadn't updated Flash since last July (wouldn't do that without Sandboxie!), but I just updated to the latest 11.8 and will see how it goes now.

I've hardly ever seen anyone mention Firefox HeapSprays with Sandboxie, so it's interesting that you've both reported it now...

 

As I said in my original post, no I did not. Then ronjour posted and then I didn't know what to think, which is why I asked if anyone else had noticed the issue happening so that I could confirm if it was a compatibility issue or not. I agree, it's a bit far fetched. My sandbox is emptied on browser close but I think for a while I was just putting my computer to sleep and thus using the same sandbox for a few days at a time. I updated yesterday with the Microsoft updates so I guess if I don't see the notifications anymore, then I really was being attacked?

 

No, you're probably not seeing EMET notifications right now because Sandboxie's "activeness" was reset when Windows restarted after the updates (or when it becomes inactive and Auto Deletes Contents).

That's probably why you were getting it then -- after the sandbox had remained active for a few days. Maybe you can try it again, by using sleep or whatever? Like I said, it usually takes 4-5 days before problems start for me (I enabled HeapSpray again now, after it's been disabled for weeks). I get it on Firefox itself too (not just plugin-container), which sucks when it kills the whole browser (can Restore, but still).

I run "regular" stuff in my General/Internet sandbox, and I'll keep it active for weeks on the main system (so a month or 2 at most between Windows updates). If I don't think there's anything bad in the sandbox, I'm not worried about deleting contents.

 

That's what I intend to do. We shall see!