Blocklist RelevantKnowledge extension because of crashes [@ rlxg.dll@0x12da1 ][@ rlxg.dll@0x9ef3 ][@ rlxg.dll@0x1167a ]

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
--
critical
RESOLVED FIXED
7 years ago
a year ago

People

(Reporter: Scoobidiver (away), Assigned: fligtar)

Tracking

({crash, topcrash})

unspecified
x86
Windows XP
crash, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox5+ fixed, blocking2.0 -)

Details

(Whiteboard: [server side][hardblocker][noncode], crash signature)

(Reporter)

Description

7 years ago
It is #44 top crasher in 4.0b7 for the last 2 weeks.
RelevantKnowledge seems to be a spyware.

May be this dll file/extension must be blocked.

Signature	rlxg.dll@0x12da1
UUID	f8b2368a-6a7e-439d-a6d8-9fc282101129
Time 	2010-11-29 20:58:45.363214
Uptime	215909
Last Crash	495881 seconds (5.7 days) before submission
Install Age	997257 seconds (1.6 weeks) since version was first installed.
Product	Firefox
Version	4.0b7
Build ID	20101104142426
Branch	2.0
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 6 model 9 stepping 5
Crash Reason	Unhandled C++ Exception
Crash Address	0x7c812afb
App Notes 	AdapterVendorID: 8086, AdapterDeviceID: 3582

Frame 	Module 	Signature [Expand] 	Source
0 	kernel32.dll 	RaiseException 	
1 	rlxg.dll 	rlxg.dll@0x12da1 	
2 	rlxg.dll 	rlxg.dll@0x5e89 	
3 	rlxg.dll 	rlxg.dll@0x5c95 	
4 	rlxg.dll 	rlxg.dll@0x10fa8 	
5 	rlxg.dll 	rlxg.dll@0x11464 	
6 	rlxg.dll 	rlxg.dll@0x114be 	
7 	xul.dll 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/nsHttpChannel.cpp:3959
8 	xul.dll 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:578
9 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:403
10 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:112
11 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:609
12 	xul.dll 	nsThread::PutEvent 	xpcom/threads/nsThread.cpp:392
13 	xul.dll 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:250
14 	xul.dll 	nsThread::Shutdown 	xpcom/threads/nsThread.cpp:491
15 	mozcrt19.dll 	arena_dalloc 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4281
16 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
17 	xul.dll 	nsProxyObjectCallInfo::Run 	xpcom/proxy/src/nsProxyEvent.cpp:181
18 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:609
19 	xul.dll 	nsThread::PutEvent 	xpcom/threads/nsThread.cpp:392
20 	xul.dll 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:250
21 	xul.dll 	nsThread::Shutdown 	xpcom/threads/nsThread.cpp:491
22 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
23 	xul.dll 	nsProxyObjectCallInfo::Run 	xpcom/proxy/src/nsProxyEvent.cpp:181
24 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:609
25 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/threads/combined/prulock.c:404
26 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/threads/combined/prulock.c:404
27 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
28 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
29 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:176
30 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:181
31 	xul.dll 	xul.dll@0xb0a483 	
32 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:191
33 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3682
34 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:129
35 	firefox.exe 	__tmainCRTStartup 	obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591
36 	kernel32.dll 	BaseProcessStart 	

More reports at:
http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=rlxg.dll%400x12da1&version=Firefox%3A4.0b7
(Reporter)

Comment 1

7 years ago
It is #21 top crasher in 4.0b8 for the last week.
blocking2.0: --- → ?
I think you're probably right considering it's widely considered spyware.
(Reporter)

Comment 3

7 years ago
It is #17 top crasher in 4.0b9 for the last week.

Here is more information on this spyware:
http://www.spywareremove.com/removeRelevantKnowledge.html
Component: Networking → Blocklisting
Product: Core → addons.mozilla.org
QA Contact: networking → blocklisting
Summary: crash [@ rlxg.dll@0x12da1 ] with RelevantKnowledge extension → Blocklist RelevantKnowledge extension because of crashes [@ rlxg.dll@0x12da1 ]
Version: Trunk → unspecified
blocking2.0: ? → -
(Reporter)

Updated

7 years ago
Duplicate of this bug: 626614

Comment 5

6 years ago
I believe the extension id is {6E19037A-12E3-4295-8915-ED48BC341614}. Unclear if we should just block the rlxg.dll.

We're also seeing this on branch.
(Reporter)

Comment 6

6 years ago
Here are 4.0b11 add-on & module correlations:
  rlxg.dll@0x12da1|Unhandled C++ Exception (142 crashes)
    100% (142/142) vs.   1% (251/38786) rlxg.dll (1.3.328.4)
     99% (141/142) vs.   1% (407/38786) {6E19037A-12E3-4295-8915-ED48BC341614} (*xg.dll (RelevantKnowledge), http://www.relevantknowledge.com/) (1.3.328.4)
The crash report without the extension is probably due to a bug in Socorro or Breakpad where sometimes extensions are missing in crash reports.

It is #18 top crasher in 4.0b11 and #46 top crasher in 3.6.13.
(Reporter)

Updated

6 years ago
Depends on: 523784
(Reporter)

Updated

6 years ago
Summary: Blocklist RelevantKnowledge extension because of crashes [@ rlxg.dll@0x12da1 ] → Blocklist RelevantKnowledge extension because of crashes [@ rlxg.dll@0x12da1 ][@ rlxg.dll@0x9ef3 ]
(Reporter)

Comment 7

6 years ago
With combined signatures, it is #9 top crasher in 4.0b11 and #40 in 3.6.13.
blocking2.0: - → ?
Keywords: topcrash
Assignee: nobody → fligtar
blocking2.0: ? → final+
Whiteboard: [blocklist range needed][server side]
We've been in touch with Comscore before about crashes caused by their extension (see bug 521745), Damon has contact info iirc.
Whiteboard: [blocklist range needed][server side] → [blocklist range needed][server side][hardblocker]
(Reporter)

Comment 9

6 years ago
extension id: {6E19037A-12E3-4295-8915-ED48BC341614}
version: 1.3.328.4 and lower
Firefox versions: all
(Assignee)

Comment 10

6 years ago
Blocked on staging and ready for testing. https://wiki.mozilla.org/Blocklisting/Testing

    <emItem id="{6E19037A-12E3-4295-8915-ED48BC341614}">
      <versionRange minVersion="0.1" maxVersion="1.3.328.4" severity="1"/>
    </emItem>

Over to Kev for outreach.
Assignee: fligtar → kev
Whiteboard: [blocklist range needed][server side][hardblocker] → [server side][hardblocker][needs testing][needs outreach]
Whiteboard: [server side][hardblocker][needs testing][needs outreach] → [server side][hardblocker][needs testing][needs outreach][noncode]
I wouldn't hold the release for outreach here.  Let's get the block in place and test it asap.
(Assignee)

Comment 12

6 years ago
The block is already staged and ready for testing. We don't blocklist without telling the vendor about it first unless it's malware.
(In reply to comment #12)
> The block is already staged and ready for testing. We don't blocklist without
> telling the vendor about it first unless it's malware.

Well, technically, we have done this as there are a ton of addons without contact info, BUT to make people happy here, I just talked to Yvonne, a director at ComScore (See contact info in bug 525974 ).  It's night there, but she's calling her head engineer to address the issue and promised get back to us in this bug by tomorrow.
See also bug 521748.
I searched far and wide for all sorts of wares that could bundle this thing, but none of them had the extension we were looking for. If there's a way to build a dummy add-on that builds the blocklisting criteria in comment #10, let me know.
Try MediaCoder [1] or VideoInspector [2], maybe?

[1] http://www.mediacoderhq.com/
[2] http://www.kcsoftwares.com/index.php?vtb
I did, but those didn't seem to install the extension and/or dlls we are blocklisting. Instead, some of those bundles installed up to 5 extensions and all sorts of dlls were spawned after installing.
(Assignee)

Updated

6 years ago
Assignee: kev → fligtar
Whiteboard: [server side][hardblocker][needs testing][needs outreach][noncode] → [server side][hardblocker][needs testing][noncode]
I got it through www.permissionresearch.com for bug 521748 iirc.

Comment 19

6 years ago
comScore has been informed of the issue and we are currently working to replicate the crash.  We have two engineers and the QA team looking into the code.  From the stack traces, we have some thoughts as to which module in the add-on might be the issue.
(Assignee)

Comment 20

6 years ago
Thanks for the update, ybigbee. I'm going to go ahead with the block for Firefox 4 only and will wait to block in 3.6 and below for you to issue the updated version. Please keep us updated in this bug.
Whiteboard: [server side][hardblocker][needs testing][noncode] → [server side][hardblocker][noncode]
(Assignee)

Updated

6 years ago
Blocks: 638234
(Assignee)

Comment 21

6 years ago
Filed bug 638234 so we don't forget to block in 3.6 when the update is issued, and bug 638231 for the website update.
Depends on: 638231
(In reply to comment #18)
> I got it through www.permissionresearch.com for bug 521748 iirc.

This time I've tried installing all of the downloads listed, and now I can see a rlvknlg.exe running in the list of processes. The extension isn't shown in the list of add-ons.

However, after flipping the prefs in order to test the blocklisting and restarting the browser, I now see an extension not previously shown "RelevantKnowledge 1.3.328.4 (disabled)." So the blocklist seems to be working.

Once it's live on production, I'll check it again.
(Assignee)

Comment 23

6 years ago
Blocked in production for Firefox 4.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Updated

6 years ago
Blocks: 638425
(Reporter)

Comment 24

6 years ago
9 days after the blocking, crashes are still happening in 4.0 RC1:
https://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=rlxg.dll%400x12da1

The extension blocklisting is not enough to prevent crashes. The DLL blocklisting should be used.

See also bug 629634 where the extension blocklisting didn't prevent crashes.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Is it possible that the extension blocklist blocked some of the crashes but not all (e.g. ones that happen too early in startup for the extension blocklist to be effective)? bsmedberg was saying he doesn't see these signatures on the top crash list any more, which suggests that the DLL blocklist piece might not, on its own, be blocking.
blocking2.0: final+ → ?
(Reporter)

Comment 26

6 years ago
In reply to comment 25
> Is it possible that the extension blocklist blocked some of the crashes but not
> all (e.g. ones that happen too early in startup for the extension blocklist to
> be effective)?
Indeed, in a steady state, with combined signatures, it is only #49 top crasher in 4.0b12 (#9 two weeks ago, see comment 7), so the current blocklist is partially effective. Remaining crashes don't occur at startup (uptime higher than 120 seconds except 2 crashes), so it is not caused by a blocklist delay.

When an add-on is blocklisted, does it show up in the extension tab of crash reports?
Is there a way to by-pass the add-on blocklist (add-on compatibility reporter or preferences in about:config for instance)?
Summary: Blocklist RelevantKnowledge extension because of crashes [@ rlxg.dll@0x12da1 ][@ rlxg.dll@0x9ef3 ] → Blocklist RelevantKnowledge extension because of crashes [@ rlxg.dll@0x12da1 ][@ rlxg.dll@0x9ef3 ][@ rlxg.dll@0x1167a ]
Due to the current frequency, this no longer needs to block.
blocking2.0: ? → -

Comment 28

6 years ago
If this is on my system, how would I know. If it is on here, then I'd like to remove it.
Thank you.
(Reporter)

Comment 29

6 years ago
(In reply to comment #28)
> If this is on my system, how would I know. If it is on here, then I'd like
> to remove it.
If you crash with one of the crash signatures in the bug summary, then Relevant Knowledge is installed.
Uninstall it as any Windows programs. See http://www.ehow.com/how_5634500_remove-relevant-knowledge-spyware.html

Updated

6 years ago
tracking-firefox5: --- → +

Comment 30

6 years ago
Is this sufficiently blocklisted that we no longer need to track this for Firefox 5?
marcia and smooney to check volume in the latest beta and report back.

Comment 32

6 years ago
(In reply to comment #31)
> marcia and smooney to check volume in the latest beta and report back.

ping.

Comment 33

6 years ago
I received an email from bugzilla and have no idea why. Might you be so kind as to tell me what this is about as it has me concerned?
Thank you,
Lee Hollimon
(In reply to comment #33)
> I received an email from bugzilla and have no idea why. Might you be so kind
> as to tell me what this is about as it has me concerned?
> Thank you,
> Lee Hollimon

When you replied to this bug thread in comment 28, it added your email address to the CC list, so you would receive notifications of further replies/changes to the bug. To remove yourself, go to the bug and see top right of the screen where there is a CC list, choose edit->remove, select your email and press submit for the page.
So far I do not see these signatures showing up in Beta 3 data.

Comment 36

6 years ago
This is fixed. Yay!
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
status-firefox5: --- → fixed
Resolution: --- → FIXED
Crash Signature: [@ rlxg.dll@0x12da1 ] [@ rlxg.dll@0x9ef3 ] [@ rlxg.dll@0x1167a ]
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.