When you apply a security update for one of the programs on your PC, beware of uninvited software that wants to come along for the ride.
Vendors are more and more often going over the line, piggy-backing unsolicited commercial products and services onto crucial security patches.
If you’re like many people, you were tricked into installing Apple’s Safari browser as part of an iTunes or QuickTime update — a marketing tactic the company has been employing for more than a year. (I reported in my March 27, 2008, Patch Watch column that Apple had quietly started installing its browser using a little-noticed check box.)
You may also have succumbed to Microsoft’s incessant offer of Silverlight and Office Live as part of the Microsoft Update service. And you may have tired of saying “no!” to downloading Internet Explorer 8. (I don’t feel IE 8 is a necessary upgrade, due to IE 7′s relative security and IE 8′s incompatibility with some sites, as I describe below.)
Now, the latest Sun Java update shows how cavalier some vendors have become in taking advantage of software updates, including vital security patches.
The latest Sun Java SE Update 16 (6u16), released on Aug. 11, includes seven security updates and fixes a few bugs. What the release notes don’t document, however, is that this update comes with a surprise.
The download process starts out normally enough, with the usual coffee-cup update icon in the notification area of Windows’ taskbar. (See Figure 1.)
Figure 1. Sun’s Java icon — the coffee cup at the far left — indicates the availability of an update.
However, after you begin the update, a confusing offer to download and install a 30-day trial of Carbonite Inc.’s commercial backup software appears. A small check box is preselected for download and installation. (See Figure 2.)
Figure 2. The option to install a trial version of Sun’s Carbonite backup software is prechecked in the Java updater.
Some Java patchers are not offered Carbonite but instead get Microsoft’s Bing search toolbar, which is preselected on many systems. (See Figure 2.)
Figure 3. Sun’s Java updater preselects the option to install Microsoft’s Bing search toolbar for IE along with the Java update.
That’s right, ladies and gentlemen. Not only may we have to uninstall random toolbars if we’re not careful with our Java updates, now we have to remove trial versions of commercial software that vendors quietly attached to a security update.
| UPDATE 2009-08-20: In the Aug. 20, 2009, Known Issues column, reader Pete Poorman notes that Adobe’s updates for Flash Player and Adobe Reader attempt to install the Google Toolbar by default.|
Microsoft pushes IE 8 as ‘critical’ to your PC
Microsoft is one of the biggest offenders in promoting nonsecurity updates via its security mechanism.
First in 2006, and again in 2007, the Redmond company installed its intrusive Windows Genuine Advantage app as though it were a “critical security upgrade,” as I described in a June 14, 2007, column.
In the latest such case, you’ll find that Microsoft has prechecked Internet Explorer 8 when you use Automatic Updates and choose the option to view available updates.
The company argues that IE 8 is a critical update to your operating system. In reality, the program may conflict with other software on your PC.
I’m postponing deployment of IE 8 on my computers, because I continue to encounter compatibility problems in my testing. The glitches are slowly being resolved, but I’m still not ready to give a blanket recommendation to upgrade to IE 8, nor am I comfortable applying it to the production systems I manage. (I described the problems and some solutions in a column on May 28.)
As the person in charge of managing PCs in my company, I need to test the program before it’s installed on production systems. By preselecting the IE 8 installation, Microsoft eliminates my ability to conduct responsible testing.
Even while claiming that IE 8 is a critical update, Microsoft continues to support the hopeless old version 6 of IE, as stated on the company’s IEBlog. IE 6 long ago stopped being a defensible browser and cannot now be considered secure by any stretch of the imagination.
If you’re still running IE 6, you should upgrade to IE 7 immediately. If your company uses a line-of-business app that requires IE 6, isolate that machine from the Internet and use it only until that app is upgraded.
Installing IE 8, however, should be considered optional and should not be associated with security patches.
(In an unrelated move, IE 8 will no longer silently make itself a PC’s default browser when users select the Express installation option. The change was revealed in a U.S. Department of Justice antitrust compliance report, as reporter Grant Gross explains in an IDG News Service article.)
Let’s put a halt to any marketing in updates
I understand that the publishers of “free” software sometimes need to push other programs that generate revenue. Whenever a vendor is offering useful software at no cost, I’m willing to consider some software bundles at the time of original download.
To avoid tricky bundles, you should consult sites offering advice about specific problems. One of the best is the Calendar of Updates’ Installers Hall of Shame, which lists uninvited programs that ride along with various apps.
It’s a completely different matter to use security updates to sneak software onto our PCs — there’s simply no other term for it. Corrupting a vendor’s security channel to promote a marketing opportunity violates our fundamental right to control the programs installed on our systems.
When it comes to bug fixes and security patches, I need to be able to trust that the changes vendors are making to my system are intended only to protect me. I strongly object to attempts to install any nonessential software as part of the update process.
To me, the marketing tie-ins described above step way over the line. I hope you’ll join me in urging software vendors to limit security updates to nothing but security updates.
Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.