615518 - Blocklist RelevantKnowledge extension because of crashes [@ rlxg.dll@0x12da1 ][@ rlxg.dll@0x9ef3 ][@ rlxg.dll@0x1167a ]

Status: RESOLVED FIXED

(Toolkit :: Blocklist Policy Requests, defect)

Description

[Scoobidiver (away)]

It is #44 top crasher in 4.0b7 for the last 2 weeks.
RelevantKnowledge seems to be a spyware.

May be this dll file/extension must be blocked.

Signature	rlxg.dll@0x12da1
UUID	f8b2368a-6a7e-439d-a6d8-9fc282101129
Time 	2010-11-29 20:58:45.363214
Uptime	215909
Last Crash	495881 seconds (5.7 days) before submission
Install Age	997257 seconds (1.6 weeks) since version was first installed.
Product	Firefox
Version	4.0b7
Build ID	20101104142426
Branch	2.0
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 6 model 9 stepping 5
Crash Reason	Unhandled C++ Exception
Crash Address	0x7c812afb
App Notes 	AdapterVendorID: 8086, AdapterDeviceID: 3582

Frame 	Module 	Signature [Expand] 	Source
0 	kernel32.dll 	RaiseException 	
1 	rlxg.dll 	rlxg.dll@0x12da1 	
2 	rlxg.dll 	rlxg.dll@0x5e89 	
3 	rlxg.dll 	rlxg.dll@0x5c95 	
4 	rlxg.dll 	rlxg.dll@0x10fa8 	
5 	rlxg.dll 	rlxg.dll@0x11464 	
6 	rlxg.dll 	rlxg.dll@0x114be 	
7 	xul.dll 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/nsHttpChannel.cpp:3959
8 	xul.dll 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:578
9 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:403
10 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:112
11 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:609
12 	xul.dll 	nsThread::PutEvent 	xpcom/threads/nsThread.cpp:392
13 	xul.dll 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:250
14 	xul.dll 	nsThread::Shutdown 	xpcom/threads/nsThread.cpp:491
15 	mozcrt19.dll 	arena_dalloc 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4281
16 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
17 	xul.dll 	nsProxyObjectCallInfo::Run 	xpcom/proxy/src/nsProxyEvent.cpp:181
18 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:609
19 	xul.dll 	nsThread::PutEvent 	xpcom/threads/nsThread.cpp:392
20 	xul.dll 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:250
21 	xul.dll 	nsThread::Shutdown 	xpcom/threads/nsThread.cpp:491
22 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
23 	xul.dll 	nsProxyObjectCallInfo::Run 	xpcom/proxy/src/nsProxyEvent.cpp:181
24 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:609
25 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/threads/combined/prulock.c:404
26 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/threads/combined/prulock.c:404
27 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
28 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
29 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:176
30 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:181
31 	xul.dll 	xul.dll@0xb0a483 	
32 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:191
33 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3682
34 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:129
35 	firefox.exe 	__tmainCRTStartup 	obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591
36 	kernel32.dll 	BaseProcessStart 	

More reports at:
http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=rlxg.dll%400x12da1&version=Firefox%3A4.0b7

Comment 1

[Scoobidiver (away)]

It is #21 top crasher in 4.0b8 for the last week.

Comment 2

[Bas Schouten (:bas.schouten)]

I think you're probably right considering it's widely considered spyware.

Comment 3

[Scoobidiver (away)]

It is #17 top crasher in 4.0b9 for the last week.

Here is more information on this spyware:
http://www.spywareremove.com/removeRelevantKnowledge.html

Comment 5

[LegNeato]

I believe the extension id is {6E19037A-12E3-4295-8915-ED48BC341614}. Unclear if we should just block the rlxg.dll.

We're also seeing this on branch.

Comment 6

[Scoobidiver (away)]

Here are 4.0b11 add-on & module correlations:
  rlxg.dll@0x12da1|Unhandled C++ Exception (142 crashes)
    100% (142/142) vs.   1% (251/38786) rlxg.dll (1.3.328.4)
     99% (141/142) vs.   1% (407/38786) {6E19037A-12E3-4295-8915-ED48BC341614} (*xg.dll (RelevantKnowledge), http://www.relevantknowledge.com/) (1.3.328.4)
The crash report without the extension is probably due to a bug in Socorro or Breakpad where sometimes extensions are missing in crash reports.

It is #18 top crasher in 4.0b11 and #46 top crasher in 3.6.13.

Comment 7

[Scoobidiver (away)]

With combined signatures, it is #9 top crasher in 4.0b11 and #40 in 3.6.13.

Comment 8

[Peter Van der Beken [:peterv]]

We've been in touch with Comscore before about crashes caused by their extension (see bug 521745), Damon has contact info iirc.

Comment 9

[Scoobidiver (away)]

extension id: {6E19037A-12E3-4295-8915-ED48BC341614}
version: 1.3.328.4 and lower
Firefox versions: all

Comment 10

[Justin Scott [:fligtar]]

Blocked on staging and ready for testing. https://wiki.mozilla.org/Blocklisting/Testing

    <emItem id="{6E19037A-12E3-4295-8915-ED48BC341614}">
      <versionRange minVersion="0.1" maxVersion="1.3.328.4" severity="1"/>
    </emItem>

Over to Kev for outreach.

Comment 11

[Damon Sicore (:damons)]

I wouldn't hold the release for outreach here.  Let's get the block in place and test it asap.

Comment 12

[Justin Scott [:fligtar]]

The block is already staged and ready for testing. We don't blocklist without telling the vendor about it first unless it's malware.

Comment 13

[Damon Sicore (:damons)]

(In reply to comment #12)
> The block is already staged and ready for testing. We don't blocklist without
> telling the vendor about it first unless it's malware.

Well, technically, we have done this as there are a ton of addons without contact info, BUT to make people happy here, I just talked to Yvonne, a director at ComScore (See contact info in bug 525974 ).  It's night there, but she's calling her head engineer to address the issue and promised get back to us in this bug by tomorrow.

Comment 14

[Ed Morley [:emorley]]

See also bug 521748.

Comment 15

[juan becerra [:juanb]]

I searched far and wide for all sorts of wares that could bundle this thing, but none of them had the extension we were looking for. If there's a way to build a dummy add-on that builds the blocklisting criteria in comment #10, let me know.

Comment 16

[Mauricio Collares [:collares]]

Try MediaCoder [1] or VideoInspector [2], maybe?

[1] http://www.mediacoderhq.com/
[2] http://www.kcsoftwares.com/index.php?vtb

Comment 17

[juan becerra [:juanb]]

I did, but those didn't seem to install the extension and/or dlls we are blocklisting. Instead, some of those bundles installed up to 5 extensions and all sorts of dlls were spawned after installing.

Comment 18

[Peter Van der Beken [:peterv]]

I got it through www.permissionresearch.com for bug 521748 iirc.

Comment 19

[ybigbee]

comScore has been informed of the issue and we are currently working to replicate the crash.  We have two engineers and the QA team looking into the code.  From the stack traces, we have some thoughts as to which module in the add-on might be the issue.

Comment 20

[Justin Scott [:fligtar]]

Thanks for the update, ybigbee. I'm going to go ahead with the block for Firefox 4 only and will wait to block in 3.6 and below for you to issue the updated version. Please keep us updated in this bug.

Comment 21

[Justin Scott [:fligtar]]

Filed bug 638234 so we don't forget to block in 3.6 when the update is issued, and bug 638231 for the website update.

Comment 22

[juan becerra [:juanb]]

(In reply to comment #18)
> I got it through www.permissionresearch.com for bug 521748 iirc.

This time I've tried installing all of the downloads listed, and now I can see a rlvknlg.exe running in the list of processes. The extension isn't shown in the list of add-ons.

However, after flipping the prefs in order to test the blocklisting and restarting the browser, I now see an extension not previously shown "RelevantKnowledge 1.3.328.4 (disabled)." So the blocklist seems to be working.

Once it's live on production, I'll check it again.

Comment 23

[Justin Scott [:fligtar]]

Blocked in production for Firefox 4.

Comment 24

[Scoobidiver (away)]

9 days after the blocking, crashes are still happening in 4.0 RC1:
https://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=rlxg.dll%400x12da1

The extension blocklisting is not enough to prevent crashes. The DLL blocklisting should be used.

See also bug 629634 where the extension blocklisting didn't prevent crashes.

Comment 25

[Johnathan Nightingale [:johnath]]

Is it possible that the extension blocklist blocked some of the crashes but not all (e.g. ones that happen too early in startup for the extension blocklist to be effective)? bsmedberg was saying he doesn't see these signatures on the top crash list any more, which suggests that the DLL blocklist piece might not, on its own, be blocking.

Comment 26

[Scoobidiver (away)]

In reply to comment 25
> Is it possible that the extension blocklist blocked some of the crashes but not
> all (e.g. ones that happen too early in startup for the extension blocklist to
> be effective)?
Indeed, in a steady state, with combined signatures, it is only #49 top crasher in 4.0b12 (#9 two weeks ago, see comment 7), so the current blocklist is partially effective. Remaining crashes don't occur at startup (uptime higher than 120 seconds except 2 crashes), so it is not caused by a blocklist delay.

When an add-on is blocklisted, does it show up in the extension tab of crash reports?
Is there a way to by-pass the add-on blocklist (add-on compatibility reporter or preferences in about:config for instance)?

Comment 27

[Benjamin Smedberg]

Due to the current frequency, this no longer needs to block.

Comment 28

[Lee Hollimon]

If this is on my system, how would I know. If it is on here, then I'd like to remove it.
Thank you.

Comment 29

[Scoobidiver (away)]

(In reply to comment #28)
> If this is on my system, how would I know. If it is on here, then I'd like
> to remove it.
If you crash with one of the crash signatures in the bug summary, then Relevant Knowledge is installed.
Uninstall it as any Windows programs. See http://www.ehow.com/how_5634500_remove-relevant-knowledge-spyware.html

Comment 30

[Asa Dotzler [:asa]]

Is this sufficiently blocklisted that we no longer need to track this for Firefox 5?

Comment 31

[Marcia Knous [:marcia]]

marcia and smooney to check volume in the latest beta and report back.

Comment 32

[Asa Dotzler [:asa]]

(In reply to comment #31)
> marcia and smooney to check volume in the latest beta and report back.

ping.

Comment 33

[Lee Hollimon]

I received an email from bugzilla and have no idea why. Might you be so kind as to tell me what this is about as it has me concerned?
Thank you,
Lee Hollimon

Comment 34

[Ed Morley [:emorley]]

(In reply to comment #33)
> I received an email from bugzilla and have no idea why. Might you be so kind
> as to tell me what this is about as it has me concerned?
> Thank you,
> Lee Hollimon

When you replied to this bug thread in comment 28, it added your email address to the CC list, so you would receive notifications of further replies/changes to the bug. To remove yourself, go to the bug and see top right of the screen where there is a CC list, choose edit->remove, select your email and press submit for the page.

Comment 35

[Marcia Knous [:marcia]]

So far I do not see these signatures showing up in Beta 3 data.

Comment 36

[Asa Dotzler [:asa]]

This is fixed. Yay!

Comment 37

[JhonSmith]

well you can also go through this article to reslove it. https://keepthetech.com/enable-site-specific-browser-in-firefox

Comment 38

[shawnentinie]

Because its 2022