Thursday, August 30, 2007

Google Toolbar 100% CPU bug...

Digg this

In general, I'm a pretty big fan of the Google Toolbar for IE. I use IE6 SP2 for pretty much all of my web surfing needs. I have Opera and Firefox installed too with plugins/extensions for the latter, but I just like IE better (although some sites are starting to be IE6-unfriendly). But this isn't about starting a "which browser is better" debate/flamewar.

Instead, it is about a little bug I found today while minding my own business. Actually, I found three bugs, but only one of them is a critical issue that should never have left Google's QA department.

So I was minding my own business and responding to e-mails and other such things. For many of the groups I'm on, I tend to do web searches just so I can paste a link or whatever into the e-mail. I run into an e-mail that I had indirectly answered on another mailing list several weeks ago and didn't bother pasting links so I could search the archives. But I left myself enough clues that I could figure it out again if I needed to later.

It was a pretty obscure topic so finding the links again was difficult. So, I decided to look through the Google Toolbar search history. The complete history. Google Toolbar saves every search you ever do...and I've never bothered to clear my history - so it is really lengthy.

Anyway, here are the three bugs in increasing order of how critical it is. I assume using a new browser session to make things easier for each test case:

1) Make the combobox dropdown window huge by grabbing the gripper and dragging. Now scroll through the history using the weird down arrow. The entire display flickers. This is a repainting issue.

2) Select a previous search item. Now use the down arrow button on the combobox to open the dropdown window. Scroll down a ways using the weird down arrow. Now move the mouse up but don't click anything. Move the mouse back over the weird down arrow. The history scroll starts over at the top of the history instead of continuing from where it left off.

3) Close all open browsers. Open Task Manager (trust me, you'll want it). Open a single IE session. Click the down arrow button on the combobox to open the dropdown window. Move the mouse over the weird down arrow and let it scroll through the history. As it scrolls, the current 'iexplore.exe' will slowly increase how much CPU it is using until 100% CPU is being used. Closing 'iexplore.exe' will close the window but the process will have to be manually terminated. If the end of the history is reached before maxxing out the CPU, use the bug from #2 to start at the top and continue (or use the weird up arrow).

Heh. I caught three bugs QA at Google didn't. [Sigh] Why is it I run into all the bugs no one else finds? Every last piece of software.

Labeled a spammer...

Oh this is just great. I just got labeled as a spam blog. Here is the warning that I received when I logged into my blog today:


This blog has been locked by Blogger's spam-prevention robots. You will not be able to publish your posts, but you will be able to save them as drafts.

Save your post as a draft or click here for more about what's going on and how to get your blog unlocked.

Here is what blogger says about why this happens:

What We're Doing About Spam

Needless to say, we do not approve of spamming here at Blogger. Below are some of the things we've implemented to remove and reduce spam on our service. We will update this list as we continue our efforts.

Automated spam classifying algorithms keep spam blogs out of NextBlog and out of our "Recently Published" list on the dashboard.

The same classifiers are used to require an extra word verification field on the posting form for potential spam blogs. This makes it harder for spammers to set up automated systems to do their posting, since a human needs to complete this step.

The Flag as Objectionable button in the Navbar lets you notify us of problem blogs that you find, so we can review them and take appropriate action.

Let's take a look at why this might have happened from least likely to most likely:

1) The sudden spike in traffic and comments.

2) A whole bunch of people clicked the "report this blog/flag as objectionable" link out of sheer spite. That would imply people don't like me...but, but, but...everyone likes me! I can imagine Microsoft employees doing that for discovering their secret Windows Update but they would first have to find this blog. That isn't likely either.

3) Yesterday's post on a new type of spam. But there is other content in that post, so it shouldn't be a problem unless they have lousy filters.

4) The whole "old hash"/"new hash" thing in the modified secret Windows Update post. I can see this as a major problem for various anti-spam algorithms. It does look like gobbledygook despite being perfectly legit.

Yet another reason I'm seriously disliking Blogger. Ooh! I've got a great idea. Let's add gasoline to the fire! If I get any more ticked off, I'll end up heading over to and get something better.

Edit: Took almost 24 hours for Google to get around to declaring my blog spam-free.

Tuesday, August 28, 2007

A new type of spam

Digg this

Just got this in my e-mail in-box:

We Need Beta testers to try out our new software Office Tools Plus

This will help us get the software ready for consumer release. For helping out, you will receive a free edition and 5 years of updates.

1: Download the software 2: Try it 3: Tell us what you think Here is your chance. Follow the link to our secure download center:
(IP address removed for obvious reasons)

A new type of spam has appeared. Instead of saying "Hey idiot, download this perfectly obvious EXE that is going to install a virus" they are covering it up with "You can be a beta tester for our new Office Tools product....the download for beta testers is here: [link]". Social engineering at its finest.

The average user who has heard of beta testing will probably be enticed into downloading the file and running it. Who doesn't want to be a beta tester for a product that won't cost them a penny and possibly improve their productivity?

This is a dangerous new type of spam. A number of people are going to fall for it - it plays on social desires to beta test/try out new products. My guess is that it contains botnet software. On the plus side, a lot of users won't fall for it because there is no associated "click here to learn more about this software" sort of link that takes them to a page that describes how the software works, complete with screenshots. I'm sure the spammers will eventually start doing that, but it'll take a while.

Of course, I use an anti-spam tool called Spambayes. It is free software and works really well. I just have to train it a couple times on messages like the above and all future messages that are similar in nature will vanish.

And don't bother telling me the merits of Linux, Mac OSX, etc. I've heard it all and I've even used them both.

Saturday, August 25, 2007

A Most Coincidental Event!

Digg this

Yesterday I spoke of a most heinous act of computer modification. Today Microsoft spent a huge chunk of the day attempting to solve a major problem.

The WGA (Windows Genuine Advantage - a.k.a. "Disadvantage") servers went completely down. Now I'm not a huge believer in coincidences but if Microsoft has ever had its pants down, this is perhaps a double helping (free wedgie!). Let's see here:

1) Push a secret worldwide update to Automatic Updates out to every computer on the planet.
2) My computer receives the update and VerifyMyPC flags it.
3) WGA servers receive the update completely unaware of what is happening.
4) WGA servers barf (perhaps something in the update they didn't like). All of the WGA servers go down.
5) User PCs attempting to connect to WGA servers can't and therefore are flagged as pirating Windows.
6) Microsoft catches wind of the problem and employees responsible for WGA head into work to solve the problem...and spend most of the day scratching their heads.

A PR disaster in the making if I've ever seen one. Had they had VerifyMyPC deployed throughout their organization, they could have avoided it or at least dealt with it a lot sooner (such as figure it out in 5 minutes instead of wasting hours in the office on a Saturday...time better spent at home).

Edit: Step 4 in the "sequence of events" is kind of vague. There is ALWAYS a reasonable explanation for what happens in a computer - it is just circuits and electricity after all - 0's and 1's. At the time I couldn't think of anything that would trigger a shutdown of the server. I was thinking more along the lines of "some application crashing or BSOD'ing" instead of, well, more reasonable ideas. After I thought about it a bit, perhaps step 3 made an incorrect assumption.

Suppose, for instance, you are in charge of the WGA servers and you are thinking about what hackers will consider a terrific target. The main Microsoft website is high profile but also extremely risky but breaking into WGA would be a great way to mess with a whole bunch of people at once and is a much more "backwater" system. So, as the server manager, you look for what is known as an Intrusion Detection System (IDS) and install one on the server. Then you set up a rule that says, "Should a file change, shut off this computer." Then you set up Automatic Updates to manual download and install (i.e. Ask me before doing either one). Then, you put into place a policy that when there is an update available via Automatic Updates one of the engineers (or a script) is to turn off/disable the IDS rule, run the updates, and turn the rule back on. This policy is then applied to all of the WGA servers to make the whole thing easier to administrate simultaneously.

Now Microsoft is huge and the left hand doesn't always know what the right hand is doing. So the Microsoft group responsible for Windows Updates releases a secret Windows Update that bypasses even the manual settings in Automatic Updates.

Every computer, including the WGA servers all download this update and install it. However! The IDS picks up on the fact that critical Windows files have changed. Each system then executes a perfectly flawless shutdown as per the rule set in the IDS system. Wam! Bam! WGA is completely down. The reason the engineers spent half a day in the office was probably to figure out what triggered the IDS rule to fire in the first place - even then they possibly didn't figure it out (depending on how good the IDS is - VerifyMyPC caught it on my system). Still, that's over half of their Saturday wasted.

I can see a number of people getting yelled at over this:

1) The Windows Update group responsible for the whole mess. First for issuing a secret worldwide update. And then for getting caught.
2) The WGA server group for having a single point of failure that can cause the servers to all go down.
3) Those who programmed the client-side of WGA for assuming that if the WGA servers are unreachable, because the servers are all down, that the person is pirating Windows.
4) The support group (in India?) who said that the WGA servers would be back up sometime on Tuesday.

Friday, August 24, 2007

Windows Update updating without permission!

Digg this

Did I ever mention that I love VerifyMyPC? Oh wait. Never mind. I did that already.

It has been a while since I have posted but this one is too good to pass up. Every night around 10:30 p.m., my computer is set up to run a VerifyMyPC scan. About 11 p.m. the Scan Notifier runs and does the whole balloon pop-up thing. Normally nothing pops up because there is nothing to report (i.e. another day at the office - figuratively speaking).

When there is something to report, usually a little yellow triangle icon shows up and I say, "Yup, I remember doing that today." Or, "Those changes to my system sound about right."

Tonight, the special analysis mode of the Scan Notifier picked up on unusual behavior and popped up the Red-X icon.

If Microsoft ever wanted to get caught with their pants down, they succeeded. For most people, the above doesn't make a whole lot of sense past the "you might have a virus" part. VerifyMyPC requires a little extra knowledge about computer systems when dealing with the details. Google is your friend in these cases. Running searches for 'wups.dll' and 'wups2.dll' turns up something about Automatic Updates. In particular, those DLLs provide Automatic Update functionality for Windows.

In other words, the Automatic Updates utility automatically updated itself. Now this might not seem like a big deal but I have automatic updates set to manual (both download and installation have to be approved by me) and not the usual 'automatic' setting found on most user PCs. In other words, Windows updated itself without my express permission. Such behavior is right in line with spyware-like activity. Thus, VerifyMyPC is doing an accurate job in reporting such behavior to me. I love VerifyMyPC.

It is also interesting to note that Microsoft pushed out an update to Automatic Updates on a day other than the 2nd Tuesday of the month (also known as "Patch Tuesday").

The above image actually indicates that those files were 'added'. Drilling down, it shows that they were added to 'C:\WINDOWS\LastGood\system32\'. While 'wups.dll' and 'wups2.dll' were NOT modified, other files that are in the real system32 directory ('C:\WINDOWS\system32') WERE modified. What follows is a snippet of each file that was added and changed (files with the same name have been grouped together to help make it obvious that a virus or other piece of malware wasn't involved - malware authors wouldn't bother to copy the files to the "Last Known Good" configuration):

Add (Important)
C:\WINDOWS\LastGood\system32\cdm.dll (90.33KB)
Hash: 4E 68 B2 C4 4D F7 D2 58 16 8C 99 2C BA EC E9 95 53 33 05 86 C2 81 3B F4 B9 27 87 7C 0B 5B 51 A5

Change (Critical)
C:\WINDOWS\system32\cdm.dll (90.33KB)
New Hash: F2 2D 36 39 25 2C 01 76 40 0B 49 B3 06 2E B0 18 4B F1 F6 66 34 DD C7 F8 FD 69 73 23 9B CD 5B 98
Old Hash: 4E 68 B2 C4 4D F7 D2 58 16 8C 99 2C BA EC E9 95 53 33 05 86 C2 81 3B F4 B9 27 87 7C 0B 5B 51 A5

Add (Important)
C:\WINDOWS\LastGood\system32\wuapi.dll (536.83KB)
Hash: 07 A5 AF 93 9A 1D 28 5F 5B 08 BC 43 9B E5 57 EF 00 1C 4A D6 D9 E3 92 10 33 B2 D7 B9 E9 2C 42 C0

Change (Critical)
C:\WINDOWS\system32\wuapi.dll (536.83KB)
New Hash: C6 D8 44 CF CF BE 21 DA D0 3A 6E 75 7A A7 7B 06 DC 4E 3E 06 06 41 8B F9 E7 9D 91 13 29 17 5E C0
Old Hash: 07 A5 AF 93 9A 1D 28 5F 5B 08 BC 43 9B E5 57 EF 00 1C 4A D6 D9 E3 92 10 33 B2 D7 B9 E9 2C 42 C0

Add (Important)
C:\WINDOWS\LastGood\system32\wuauclt.exe (51.83KB)
Hash: A4 21 0C 3D 8A 99 75 97 E5 67 0B FA C2 46 6E 6A 0A FD C8 9B 2F 2F 6F 9C E5 88 63 3F 92 67 A5 9A

Change (Critical)
C:\WINDOWS\system32\wuauclt.exe (51.83KB)
New Hash: 46 DA FC 71 5B C2 BC BF D5 6A 3B 2B C3 DF 1D D2 C0 36 89 3E AB 2E 4F D6 E4 39 3E 08 10 54 D5 0D
Old Hash: A4 21 0C 3D 8A 99 75 97 E5 67 0B FA C2 46 6E 6A 0A FD C8 9B 2F 2F 6F 9C E5 88 63 3F 92 67 A5 9A

Add (Important)
C:\WINDOWS\LastGood\system32\wuaucpl.cpl (211.33KB)
Hash: 68 10 5C D1 BA 1D 73 48 02 31 DE 4C C0 F3 08 CF 15 3E EC 5B C9 F4 4D 2C 22 D0 D6 03 D8 59 C1 99

Change (Critical)
C:\WINDOWS\system32\wuaucpl.cpl (211.33KB)
New Hash: C4 0D 02 69 98 E1 9F 23 9F F9 5A 55 C1 33 4A E4 70 5A 8B 92 BF 4D DD F0 E4 42 3E 4F DA E9 D0 DA
Old Hash: 68 10 5C D1 BA 1D 73 48 02 31 DE 4C C0 F3 08 CF 15 3E EC 5B C9 F4 4D 2C 22 D0 D6 03 D8 59 C1 99

Add (Important)
C:\WINDOWS\LastGood\system32\wuaueng.dll (1.63MB)
Hash: 47 4F E9 97 52 0A 5C EC B5 CD ED 16 2B 32 49 61 AE 43 27 84 B1 82 11 66 6D D4 51 70 8A E6 C4 CD

Change (Critical)
C:\WINDOWS\system32\wuaueng.dll (1.63MB)
New Hash: 43 C2 26 22 FF C5 7E 8C 4F 54 C0 58 DA 30 D8 EA 57 BC 28 FF 43 CC 5C 85 17 DE C2 47 FF 2E 71 2A
Old Hash: 47 4F E9 97 52 0A 5C EC B5 CD ED 16 2B 32 49 61 AE 43 27 84 B1 82 11 66 6D D4 51 70 8A E6 C4 CD

Add (Important)
C:\WINDOWS\LastGood\system32\wucltui.dll (318.33KB)
Hash: 15 1D 34 E5 A4 3A CC DA B4 93 86 50 A0 99 70 6A 6B 6C 8E A5 D2 C5 83 25 EF 36 D1 AA 3B 46 9F 7B

Change (Critical)
C:\WINDOWS\system32\wucltui.dll (318.33KB)
New Hash: 51 12 24 6C 7B 09 54 21 ED 41 FA 90 B4 E8 CE 9D 00 3C DF A9 2F B1 DF 71 89 B8 CE 68 2D 8A 63 F7
Old Hash: 15 1D 34 E5 A4 3A CC DA B4 93 86 50 A0 99 70 6A 6B 6C 8E A5 D2 C5 83 25 EF 36 D1 AA 3B 46 9F 7B

Add (Important)
C:\WINDOWS\LastGood\system32\wups.dll (32.83KB)
Hash: E2 E1 5F 1C FB 8D 3F 38 15 89 F4 A1 05 6C 7C 22 6B 6A 54 EA 9A D4 FE 49 77 CE B4 96 8D EF 8E BF

Add (Important)
C:\WINDOWS\LastGood\system32\wups2.dll (42.33KB)
Hash: EF F0 03 E7 79 2B 94 C2 F5 3D 90 07 FB 9D 71 AD 2E 2D 3F 00 BB 8E B9 59 16 C3 F5 21 04 D9 7E FA

Add (Important)
C:\WINDOWS\LastGood\system32\wuweb.dll (198.33KB)
Hash: 12 72 88 FA C2 76 75 C4 51 69 A2 E3 BC B6 94 4B B3 91 C8 49 78 BC 2F DE 85 C5 B2 C4 2B D3 7B 93

Change (Critical)
C:\WINDOWS\system32\wuweb.dll (198.33KB)
New Hash: 5F B2 3D 83 EE 94 20 A6 0F 23 8F BF 5F 7E DD BC A6 8F 9A 9A CE 35 A8 F9 64 AF 88 A9 4D 4B E0 7C
Old Hash: 12 72 88 FA C2 76 75 C4 51 69 A2 E3 BC B6 94 4B B3 91 C8 49 78 BC 2F DE 85 C5 B2 C4 2B D3 7B 93

(The rest of the files have a .mui file extension and MUI apparently stands for "Multilingual User Interface" - probably just a bunch of language strings).

Change (Critical)
C:\WINDOWS\system32\wuapi.dll.mui (25.33KB)
New Hash: 42 46 98 4C AE 03 50 61 F4 E9 69 7A A2 38 A4 4B B3 A8 40 F1 39 3F 71 A7 92 78 42 28 5F 8F B9 33
Old Hash: 73 B4 BB 37 D4 FF 47 0B 61 78 73 AA 43 24 12 27 2C D4 B3 B2 9C 8E 6A 26 A6 78 1E A7 08 25 B5 36

Change (Critical)
C:\WINDOWS\system32\wuaucpl.cpl.mui (25.33KB)
New Hash: B1 6B F1 A9 5F 88 6F B1 8E B3 60 E6 42 2B AF B1 00 2D 9C 8A F1 17 C8 0D 6D 0E 23 24 6C CA 60 D4
Old Hash: EF E0 8D 82 AE F1 56 9B 55 C7 B6 CD CE 28 80 3F B7 26 20 84 EF 5C 4B 69 40 17 9C 4E 2F 67 97 58

Change (Critical)
C:\WINDOWS\system32\wuaueng.dll.mui (19.83KB)
New Hash: D9 B6 D9 FB 33 EA CB F3 DA 38 19 86 62 FE 70 16 6E 74 BC DC 4A 67 AD 24 A3 8A F8 8C 23 42 BA FB
Old Hash: D0 19 EC DA 02 E1 9F FD 30 C4 F4 06 90 A5 0F 97 76 59 81 B2 3A F1 BE AD 60 47 25 E5 63 7C 33 9B

Change (Critical)
C:\WINDOWS\system32\wucltui.dll.mui (33.33KB)
New Hash: 22 93 81 37 4F A2 81 38 D4 FC FB 07 69 A2 1F 6A 5D C5 7A 5C 44 78 F4 75 C0 3C 04 DC 6A 9C 45 B0
Old Hash: E3 BD 08 48 2F BF 98 68 AF 78 C9 17 A4 1B 1C 4E AD 64 D3 18 ED C5 06 BB 87 A2 93 52 2A A1 C5 F3

So there are plenty of other actual changes to Automatic Updates to back up my claim.

Also, while wups.dll and wups2.dll were not changed, it is pretty apparent that they were included in the update as they were backed up into the last good configuration if they were going to be changed. Also, VerifyMyPC only reports changes to files that have signature (hash) changes. A hash is a one-way cryptographic thumbprint of a file. If you want to verify the above you will need a tool capable of performing a SHA-256 hash and a computer you didn't reboot (last good configurations tend to vanish after a successful boot).

You should also keep in mind that there are Windows APIs to alter timestamps of files. Just because a file says it hasn't been modified or accessed since 2004 doesn't mean it hasn't been.
Update Sept. 14, 2007: Microsoft finally responded after some major publications also realized secret Windows Updates were pushed out...almost three weeks after I posted this. Here is the official response.
To this I say: "That is a bunch of baloney". If Microsoft wants to update Windows Update components, I want the choice to update that. The "Download and Install Notifications" option implicitly includes all updates. In my mind, the Windows Update utility itself is part of that 'all'. Don't update my system secretly. Ever.
And Microsoft still hasn't come forward to explain why the WGA servers went down. My guess is that would still be pretty embarrassed at this point to try to explain that "because they pushed out a secret update to Windows Update, WGA went down".
While I generally accept updates to Windows, I still want complete control over the entire process. The biggest problem I see with secretly updating is that it usually entails a reboot. I rarely reboot and if my system reboots while I'm in the middle of something, I will potentially lose a lot of work not to mention the time involved in bringing up all 20-30 programs I was running before the reboot. Secret updates might be followed by random shutdowns and reboots.