Named CPU skyrockets for ActiveX objects in IE 5.5 browser

Danny Mayer mayer at gis.net
Mon May 13 19:44:14 UTC 2002 

At 10:49 PM 5/12/02, JB wrote:
> >I'd need to see some evidence.
>
>My testimony is evidence. Either you feel I am inept (testimony incorrect
>through illusion) or a liar (testimony tainted with deception.) If either of
>those were true, how would electronic "evidence" make a difference? I would
>only post what I see and testify to. CPU close to 1%, CPU close to 60%.
>Named.exe at 0%. Named.exe close to 60%. Quite a contrast by any measure.

That's not what I meant.  I want to see logs of what's going on.  It's very
hard to diagnose a problem like this from a mail message.

>There was one other person who posted a message saying he witnessed this
>phenomenon on his computer, although he had ActiveX turned on in IE, which
>is true for most people, so was going to check out the affect of turning it
>off. I configured it to prompt me so I can only enable it for sites I trust.
>Why? Originally Nimda. But there was a recent security alert for Macromedia
>Flash requiring an immediate upgrade, so minimalist permissibility seems to
>work.
>
>Can someone please explain how posting snapshots of Windows Task Manager
>will help get this problem resolved? Is there anyone out there that tested
>these same conditions, and didn't have a problem? The front page of the WSJ
>is accessible by anyone, and appears to invoke the problem 100% of the time
>for me when I say yes to running ActiveX objects for that page, so all you
>need is IE to complete the test. Configure it to prompt you before running
>any ActiveX objects. Tools... Internet Options... Security... Custom
>Level...

I have a program called NTProcessWatch which you run from the command
line and it outputs the details very much like task manager.  It can also
watch a single process and take a snapshot of the details of that one process.
You can redirect the output to a file and analyze what's going on. I can
send you a copy of the binary if you want.

>To test:
>
>1> Go to WSJ.com.
>
>2> Click "No" when it prompts you to run ActiveX objects on the page.  (If
>it doesn't prompt you, you either don't have IE configured to prompt before
>loading ActiveX objects, or the WSJ currently is not serving advertisements
>requiring it on that page at that moment.  Try later if the latter is the
>case.)
>
>3> When page loads, check overall CPU usage and CPU usage of named.exe
>(should be 0% if you have not publicized it. That's what it is for me.)
>
>4> Refresh the page.
>
>5> Say yes to ActiveX objects running.
>
>6> Note the overall CPU usage and the CPU usage of named.exe. For me,
>named.exe is around 60% of CPU, although I expect this will vary depending
>on your CPU.
>
>Tested on:  Windows 2000 with IE 5.5
>
>NOTHING shows up in query log. You can leave the high CPU state of named.exe
>indefinitely, and nothing will show up unless you have legitimate queries
>that happen to occur at the same time. Since nothing is actually using BIND
>on my computer, I only see entries if I do a HOST or some other query. My
>browser and other activity does not appear to query BIND.

What does the logging statement look like in named.conf?

>Could something be exploiting BIND? Or could this be a fluke? I'd like to
>know what happens when others try this (to bolster the "evidence", to say
>the least).

It's hard to say what's happening.  If you run queries explicitly by using dig,
do you see anything show up in the log?

>NOTE: Just now for the first time, when testing this on an NT box, I
>discovered that the main page of WSJ does not always prompt you for ActiveX
>objects. While I was able to immediately get this prompt while clicking on
>an article, I know you have to be logged in to do that, so don't expect it
>to be a viable test for peeps that don't have a subscription. If someone
>else can find another web page that always tries to load ActiveX objects,
>I'll test it out and let everyone know if it produced the problem here.
>While WSJ's ActiveX objects have so far produced it 100% of the time, other
>sites with ActiveX have not.  I'd have to try it to see if it invokes the
>problem.  Dictionary.com seems to cause the problem when it happens to serve
>up an advertisement using ActiveX, but doesn't always do this.


         Danny

More information about the bind-users mailing list