I think I understand what happened! We identified in 2018 that the then just-released Windows-10-RS3-Security-Baseline (Windows 10 Version 1709 Security Baseline.zip) contained settings that would break a required component for win32k lockdown, and they match exactly those that you identified as enabled in your config: See https://bugzilla.mozilla.org/show_bug.cgi?id=1433065#c38 and https://bugzilla.mozilla.org/show_bug.cgi?id=1433065#c52 I think we raised this with Microsoft, they fixed the configuration and then pulled the affected configuration file from their webpages, you can't find it there any more. And we forgot about it... Now that we enabled win32k lockdown, anyone that still has the broken Baseline settings applied is going to have been broken. Although it's removed from Microsoft's server, I managed to find a copy of the archive on the net, and indeed it contains: Broken config: ``` <AppConfig Executable="firefox.exe"> <DEP Enable="true" EmulateAtlThunks="false" /> <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="false" /> <Payload EnableExportAddressFilter="true" EnableExportAddressFilterPlus="true" EnableImportAddressFilter="true" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /> </AppConfig> ``` Whereas the current configuration files contain (only): ``` <AppConfig Executable="firefox.exe"> <DEP OverrideDEP="false" /> <ASLR ForceRelocateImages="true" /> </AppConfig> ```
Bug 1770098 Comment 21 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I think I understand what happened! We identified in 2018 that the then just-released Windows-10-RS3-Security-Baseline (Windows 10 Version 1709 Security Baseline.zip) contained settings that would break a required component for win32k lockdown, and they match exactly those that you identified as enabled in your config: See https://bugzilla.mozilla.org/show_bug.cgi?id=1433065#c38 and https://bugzilla.mozilla.org/show_bug.cgi?id=1433065#c52 I think we raised this with Microsoft, they fixed the configuration and then pulled the affected configuration file from their webpages, you can't find it there any more. And then we forgot about it after 4 years... Now that we enabled win32k lockdown, anyone that still has the broken Baseline settings applied is going to have been broken. Although it's removed from Microsoft's server, I managed to find a copy of the archive on the net, and indeed it contains: Broken config: ``` <AppConfig Executable="firefox.exe"> <DEP Enable="true" EmulateAtlThunks="false" /> <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="false" /> <Payload EnableExportAddressFilter="true" EnableExportAddressFilterPlus="true" EnableImportAddressFilter="true" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /> </AppConfig> ``` Whereas the current configuration files contain (only): ``` <AppConfig Executable="firefox.exe"> <DEP OverrideDEP="false" /> <ASLR ForceRelocateImages="true" /> </AppConfig> ```
I think I understand what happened! We identified in 2018 that the then just-released Windows-10-RS3-Security-Baseline (Windows 10 Version 1709 Security Baseline.zip) contained settings that would break a required component for win32k lockdown, and they match exactly those that you identified as enabled in your config: See https://bugzilla.mozilla.org/show_bug.cgi?id=1433065#c38 and https://bugzilla.mozilla.org/show_bug.cgi?id=1433065#c52 I think we raised this with Microsoft, they fixed the configuration and then pulled the affected configuration file from their webpages, you can't find it there any more. And then we forgot about it after 4 years... Now that we enabled win32k lockdown, anyone that still has the broken Baseline settings applied is going to have been broken. Although it's removed from Microsoft's server, I managed to find a copy of the archive on the net, and indeed it contains: Broken config: ``` <AppConfig Executable="firefox.exe"> <DEP Enable="true" EmulateAtlThunks="false" /> <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="false" /> <Payload EnableExportAddressFilter="true" EnableExportAddressFilterPlus="true" EnableImportAddressFilter="true" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /> </AppConfig> ``` Whereas the current Microsoft Baseline configuration files contain (only): ``` <AppConfig Executable="firefox.exe"> <DEP OverrideDEP="false" /> <ASLR ForceRelocateImages="true" /> </AppConfig> ```
I think I understand what happened! We identified in 2018 that the then just-released *Windows-10-RS3-Security-Baseline (Windows 10 Version 1709 Security Baseline.zip)* contained settings that would break a required component for win32k lockdown, and they match exactly those that you identified as enabled in your config: See https://bugzilla.mozilla.org/show_bug.cgi?id=1433065#c38 and https://bugzilla.mozilla.org/show_bug.cgi?id=1433065#c52 I think we raised this with Microsoft, they fixed the configuration and then pulled the affected configuration file from their webpages, you can't find it there any more. And then we forgot about it after 4 years... Now that we enabled win32k lockdown, anyone that still has the broken Baseline settings applied is going to have been broken. Although it's removed from Microsoft's server, I managed to find a copy of the archive on the net, and indeed it contains: Broken config: ``` <AppConfig Executable="firefox.exe"> <DEP Enable="true" EmulateAtlThunks="false" /> <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="false" /> <Payload EnableExportAddressFilter="true" EnableExportAddressFilterPlus="true" EnableImportAddressFilter="true" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /> </AppConfig> ``` Whereas the current Microsoft Baseline configuration files contain (only): ``` <AppConfig Executable="firefox.exe"> <DEP OverrideDEP="false" /> <ASLR ForceRelocateImages="true" /> </AppConfig> ```
I think I understand what happened! We identified in 2018 that the then just-released *Windows-10-RS3-Security-Baseline (Windows 10 Version 1709 Security Baseline.zip)* contained settings that would break a required component for win32k lockdown, and they match exactly those that you identified as enabled in your config: See https://bugzilla.mozilla.org/show_bug.cgi?id=1433065#c38 and https://bugzilla.mozilla.org/show_bug.cgi?id=1433065#c52 I think we raised this with Microsoft, they fixed the configuration and then pulled the affected configuration file from their webpages, you can't find it there any more. And then we forgot about it after 4 years... Now that we enabled win32k lockdown, anyone that still has the broken Baseline settings from the "1709 baseline" applied is going to have been broken. Although it's removed from Microsoft's server, I managed to find a copy of the archive on the net, and indeed it contains: Broken config: ``` <AppConfig Executable="firefox.exe"> <DEP Enable="true" EmulateAtlThunks="false" /> <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="false" /> <Payload EnableExportAddressFilter="true" EnableExportAddressFilterPlus="true" EnableImportAddressFilter="true" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /> </AppConfig> ``` Whereas the current Microsoft Baseline configuration files contain (only): ``` <AppConfig Executable="firefox.exe"> <DEP OverrideDEP="false" /> <ASLR ForceRelocateImages="true" /> </AppConfig> ```