| By Susan Bradley |
The auto-update routines for QuickTime and iTunes, two programs that play multimedia files, have quietly begun installing Apple’s Safari browser unless PC users are sharp enough to turn off a little-noticed option.
This week’s abomination makes me question the entire concept of trusting auto-update mechanisms as a way of seeking better security.
Updater for media players adds unwanted payload
My tracking of patches started out this week with an abomination. The latest version of the update mechanism that keeps QuickTime and iTunes software current now sports an additional and non-germane payload. The updater wants to install Apple’s Web browser, Safari, which comes in versions for Mac and Windows.
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
Subscribe and get our monthly bonuses - free!
Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!
You may be accustomed to auto-update mechanisms that try to promote optional software. MSN’s Instant Messenger installer, for example, graciously offers to change your home page to MSN.com. So why is Apple’s peccadillo particularly putrid?
It’s because the company is using its security update mechanism to push Safari, which is not a security upgrade.
I know that many users are resigned to vendors using security updates as a mechanism to distribute optional programs. Besides Microsoft, Sun Microsystems is doing this to promote its implementation of Java, and a gazillion other vendors are abusing their auto-install mechanisms, too.
Where QuickTime crossed my personal line was this kicker: Apple designed the installer specifically so that its default behavior is to install the new browser. A user who accepts the QuickTime update must explicitly opt out of getting the unrequested payload. (You must notice and uncheck a check box.)
The result is that many users who thought they were updating only a piece software that they already run (namely, iTunes or QuickTime or both), found that Safari had been installed in addition. This represents software they didn’t own and probably didn’t want.
When vendors such as Apple set up default behavior like this, they betray the trust of their customers. Apple’s method is piggy-backing a pile of cross-selling activity on top of a critical security-upgrade process that demands the utmost level of concentration.
My thanks to Microsoft Watch blogger Joe Wilcox, who provides additional information about the QuickTime and iTunes payload.
Figure 1. Apple tries to pull a fast one to get you to install Safari.
Apple isn’t the only vendor that’s taking advantage of users’ inherent trust of security update mechanisms. Even some sophisticated Windows Secrets readers are tentative about installing Microsoft’s Windows Genuine Toolbar update. These readers fear that the utility will accidentally brand their machine as “nongenuine,” triggering a host of hassles.
While I haven’t found widespread problems with patch 905474 and related updates to the much-maligned Windows Genuine Advantage (WGA) program, I don’t blame folks for being wary of the WGA validation utility.
Here’s my message to all vendors wondering whether they should ape Apple and Microsoft by using a security-update mechanism to distribute other products to the widest possible audience: don’t. Don’t abuse our trust in your software like this.
And while we’re arm-waving here… Hello, Microsoft, will you stop offering up the Silverlight download to every person who goes to your home page? This is another over-the-top marketing offense that’s become quite annoying to me.
We all understand software vendors’ need to gain customers. But hijacking the most sensitive and essential security-update processes is not ethical. It’s highly disrespectful of these vendors’ most important constituents — their customers.
| UPDATE 2009-08-13: In her Aug 13, 2009, Top Story, contributing editor Susan Bradley describes how Apple and other vendors use security updates to push unrelated software.|
Vista support policy relaxed; this link can help
I have a noteworthy revision to, and a clarification of, my Mar. 20 article on Vista Service Pack 1.
Here’s the revision: I’d mentioned that on OEM systems (PCs that ship with a Microsoft operating system preinstalled), you can seek tech support only from the OEM (the PC’s manufacturer). That’s the general case for Microsoft’s operating systems, but Vista SP1 is an exception.
Microsoft now states that it will provide free support until March 18, 2009 — directly from Redmond — for SP1 installation issues.
If you have problems, by all means take advantage of this offer. Start at the Vista SP1 support Web page. Begin by pressing the button labeled Start E-Mail Request to report an “incident.”
The clarification involves the problem I had with a Vista machine on which installing SP1 suddenly required a new activation. I explained on Mar. 20 that I was required to reactivate this computer because the SP1 upgrade installed a new hardware device driver. This is true, but the OS on my system is not typical. Many Vista installations that are more vanilla than mine won’t have to go through that extra hassle when SP1 is installed.
My system was a version of Vista that had been downgraded to XP using an included downgrade disc, then upgraded back to Vista. The operating system this PC is using is a retail Vista package. Retail builds of Vista are the versions of Windows that are the most likely to call for activation upon changes in hardware and hardware drivers.
Over the weekend, I updated an OEM version of Vista and I had a better experience. The SP1 installer in the OEM version recognized that the hardware on the system had changed after the PC had left the factory and maintained the activated state of the OS.
So the activation hassle I had on the first SP1 install was fairly predictable, because the service pack had indeed updated a hardware driver during the installation. If you’re installing SP1 on Vista while using a typical OEM system, you probably won’t be asked to activate Vista again.
Prepare for Windows XP SP3: it’s coming soon
The drumbeat of rumors is more insistent. It seems the release of Windows XP SP3 is imminent. My testing of this service pack has been uneventful. SP3 appears to be very stable.
Before you install any service pack, however, make sure you’ve backed up your key documents and data. I never start installing a service pack without first making sure that any data I care about has a backup stored separately from the machine.
Backup devices, such as external hard drives, are very cheap compared to the time and grief you’d have to shell out to repair a system that a service pack corrupted.
Missing drivers are stalling Vista SP1 deliveries
I have additional insights about the Vista SP1 experience that may be of use to you. I recently tested updating Vista to SP1 on a pair of laptops. Each update added to my insights about the process.
One test laptop is an HP Pavilion running Vista Home Premium. The Pavilion had a pair of drivers (one for audio, the other for video) that, if present, will block SP1 installation, according to KB article 948343. I checked to see whether the drivers on the Pavilion were the most current versions. They were. To test if there would still be installation issues on this laptop, I installed the service pack manually.
The results? I had no problems whatsoever. The execution took much more time, however, than when I installed SP1 using Microsoft Update. The manual install required about 90 minutes to download the standalone installer, in addition to the 20 minutes that were required to setup the service pack itself.
The second laptop I tested is a Dell running Vista Ultimate. The laptop uses a Sigma audio driver that Microsoft documents as one that will block the installation of SP1.
Rather than heading over to Dell’s Web site to search for a new driver, I’m allowing the laptop to operate without SP1. I want to find out how much time will pass before Microsoft’s auto-update process offers to install Service Pack 1. Neither Dell’s online updater nor Microsoft Update has offered the Dell laptop a new Sigma driver as of this writing.
I’ll keep you posted on when this laptop gets asked to update to SP1. If Windows Update is not pushing the service pack out to you, and you’re impatient, you may have a driver issue such as the one my Dell has. On the other hand, a driver may have nothing to do with it.
Microsoft vice president Mike Nash has stated that the company will pace the automatic distribution of Vista SP1 in the same way that SP2 for Windows XP was handled. This means the service pack will not be pushed out to everyone at once.
What if you really can’t wait to get SP1, though? If you’ve examined the list of problem drivers that I published in my Feb. 18 column — and if you’re confident that your machine has no drivers that Vista SP1 will find problematic — you could try the manual install scenario, as I did with my HP Pavilion. To do so, get the SP1 update file from the Microsoft Download Center.
The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.