Feeds

back to article Insecure AVG search tool shoved down users' throats, says US CERT

The US Computer Emergency Response Team (CERT) has warned users about software download sites' practice of including unasked-for downloads, after one such program - AVG's Secure Search toolbar - was found to be insecure. Known as "bloatware" or "foistware", unasked-for software is bundled into to the installation wrappers used …

Anonymous Coward

download.com?

doesn't just about everything from Download.com get packaged up with 'foistware'?

I stopped using them years ago because of the crap they seem to bundle with their downloads.

now it the likes of Foxit were to stop including the 'Ask' toolbar etc I might feel a little more inclined to contribute.

34
0
Anonymous Coward

Re: download.com?

Download.com used to display two links for most packages. Their large green Download button often included their "installer", the other smaller text link was a direct one to the genuine download package.

Confusingly they didn't always offer the direct text link download option, and sometimes their official download link didin't contain their installer.

Checking the site this morning I couldn't see the text download link on any page, but some download links didn't contain their installer either. They seem to be messing about with what was once a perfectly good format.

7
0

Foxit

Foxit was installing more than just the Ask toolbar recently - and to make it worse, it added the extra software (Open Candy - no idea what it is, but AVG alerted during the installation) as part of the update process.

That lead to an immediate removal of Foxit for me, which is a shame as I've championed it over Adobe Reader for years.

10
0
Bronze badge

Re: Foxit

It's not just foxit that installs open candy. Do a Google search and you will find a who's who of applications I used to recommend. It is really sad that so many otherwise brilliant applications stoop to installing this spyware.

3
0
Bronze badge

Re: Foxit

Seems there has been a trend of companies offering just enough to buy (either directly, or through offering funding support) the popular free programs. Then quickly adding or insisting the makers add bloatware/foist ware to it.

As other companies follow suit (Adobe being one of the biggest guilty right now) it becomes the "norm". :(

0
0
Bronze badge

Re: Foxit

"It's not just foxit that installs open candy. Do a Google search and you will find a who's who of applications I used to recommend. It is really sad that so many otherwise brilliant applications stoop to installing this spyware."

A lot of my formerly trusted software venders and sources have become corrupted by these practices. It's started to feel like the whole Windows Universe™ is turning into a ghetto.

0
0

Re: Foxit

Gave up on Foxit years ago, Sumatra PDF Reader is astonishingly lightweight in comparison, the installer is only 4MB! Best off all no bloatware etc.

0
0
Gold badge

"Known as "bloatware" or "foistware","

Hereabouts we call it "payload", especially when the payload is a browser toolbar. Has there ever been a useful browser toolbar?

24
0
Silver badge

Not come across one so far.

Unless by "useful" you mean "slows browser down to a crawl".

1
0
Bronze badge

Web Developer Toolbar for Firefox. Mostly redundant now with all the built-in dev tools in the major browsers, but ten years ago it was a godsend.

1
0

Does my bookmark toolbar count?

1
0
Silver badge

"Has there ever been a useful browser toolbar?"

Not for a long time.

Easy to get carried away though, Google "Internet Explorer Toolbar Madness images" and click on images link.

2
0
Bronze badge

Browsers aught to have a 'Allow Tool Bars' option, which if not enabled, won't allow their use at all.

Have the option unselected by default on first install of the new browser. (Perhaps via a hot fix for IE).

If you do want/need to use tool bars, then tick the box to allow them during install of the alternate browser, (or in the settings afterwards if already installed).

1
0
Gold badge

"Browsers aught to have a 'Allow Tool Bars' option, which if not enabled, won't allow their use at all."

The difficulty there is writing such a browser in a way that lets the human make the decision but prevents a copycat program from automating exactly the same steps. Generally speaking, the programmers most willing to spend time and effort posting "raw input" messages are exactly the ones that sane users least want to be able to impersonate them.

1
0

I was always under the impression that bloatware was just software that got too large and fat... like Windows and it's 40GB of installation files...

0
0
Bronze badge
Happy

Useful toolbar?

Has there ever been a useful browser toolbar?

Google Toolbar was highly useful for IE users until up to IE6 because there was no built-in search box.

0
0
Paris Hilton

@John Tserkezis

You mean those images of IE and all the tool bars isn't normal? Try explaining that to some of my....thicker.....repeat customers.

0
0
Anonymous Coward

Democracy

It's about time that Google and Bing brought some democratic accountability to their search engines by allowing users to choose what appears at the top of the search results rather than their sloppy and easily bypassed algorithms.

0
5
Silver badge

Re: Democracy

If I knew where to find what I was looking for, why would I Google/Bing for it?

4
0
Silver badge

Are you listening Adobe, Oracle?

When we download Flash Player, we do NOT want McAffe.

When we download Java, we do NOT want the Ask.com toolbar.

43
0
Anonymous Coward

Re: Are you listening Adobe, Oracle?

Are people *still* not using ninite.com?

3
4
Bronze badge

Re: Are you listening Adobe, Oracle?

By the time you've installed both Flash Player and Java, a toolbar is probably the least of your worries...

15
0
Silver badge

Re: Are you listening Adobe, Oracle?

Ninite has its' own problems.

1) It's not exactly exhaustive, although it does include some good software.

2) While the Ninite installation packages don't include adware etc, they also don't allow you to customise settings like file associations and whether or not another %^!"%^ icon gets added to your desktop.

So YMMV.

1
0
Bronze badge

Re: Are you listening Adobe, Oracle?

At least with Java there's a registry key to prevent it installing the malware when updates come out. Pity it's not set by default since Oracle think distributing malware is OK.

0
0
Silver badge

Re: Are you listening Adobe, Oracle?

Are people *still* not using ninite.com?

Debian invented the Advanced Packaging Tool back in 1998. Why is it that 16 years later, we still don't have an equivalent for Windows?

Why can't I create a file (or have the system add a file), say, C:\WINDOWS\apt\sources.list.d\adobe.list, then a front-end just does an 'apt-get install adobe-flash'?

Windows update? Yeah sure, just 'apt-get dist-upgrade'. Done.

No, instead we have the old DOS-like system of everything having its own separate installer, bundling up lord knows what, which we have to go to separate download sites to download individually, and manage dependencies ourselves. C'mon Microsoft, if I wanted to do that, I'd use Slackware!

And before people bring up the Windows Store: show me where I can download a copy of the Windows Store for, say, Windows 7. How about downloading a copy of Firefox and LibreOffice via the Windows Store? Can they throw up a "Windows Store" repository like they do for YUM and APT, and just have us download a small text file that gets added to the "Windows Store" app's list of repositories like is presently done in APT/YUM?

1
0

@Stuart Longland

The problem is that you seem to want something for free when it actually costs something to build. Last I recall, Oracle, not my favourite company by any means, isn't a charity.

1
16
Silver badge

Re: @Stuart Longland

"The problem is that you seem to want something for free when it actually costs something to build."

So we are supposed to pay for those little things that enable us to use thier products - little things that they give away for free? (and tell the world we can't exist without them)

6
1
Bronze badge
Trollface

Re: @Stuart Longland

You mean we could actually kill Flash if everyone refused to tick 'accept' for the payload...?!? Did you hear that, people? Onwaaaaards!!!

14
0
Silver badge
Stop

Re: @Stuart Longland

These companies don't charge for the client, but they right royally fuck you over if you want to create content.

So no, they are providing nothing for free, the more "free" clients out there, the more demand for the software to create it with. Add a update to 20 million client = a need (read pay) for an update for the creation tools.

6
0
Bronze badge

Re: @Stuart Longland

Ironically,

All of my best utilities, tools, and even to some extent OS's are similarly "free".

Freeware has been around for DECADES.

Shareware has been around for DECADES.

There's always been a difference between the two but neither stopped the other existing or made every programmer jump ship to earn cash.

And, believe it or not, in the old days everyone who gave stuff away didn't take over your computer in order to turn you into a cash cow just so they could claw back the 50p that the ZIP library they wrapped in a GUI cost them to make.

Nobody is obliged to pay for this stuff, because it's given away for free. And people will happily pay to NOT use software that tricks them into installing junk and costing them time and money to remove. They'll use your competitor instead.

Just because you give something away for free does NOT mean you're entitled to try to take over the computer of every person that downloaded it in order to pay your costs, and certainly not without the user's explicit permission.

And without free, truly free, software, there's an awful lot of stuff that would just fall over.

If you gave it away, I'm not obliged to pay you. Certainly not against my will by installing a toolbar that I don't want.

5
0
Silver badge

Re: @Stuart Longland

The problem is that you seem to want something for free when it actually costs something to build. Last I recall, Oracle, not my favourite company by any means, isn't a charity.

So you'd give a company who releases something "for free" permission to install say, a bitcoin miner on your computer on the grounds that they're not a charity?

Oracle make plenty of money gouging their database customers. If providing a clean Java runtime is too expensive, they should reconsider its "free" status.

3
0
Bronze badge
Trollface

Re: @Stuart Longland

I actually use a system that was built for freedom. Bloat has always been a Microsoft problem whether in thier code or pratices.

I have heard that Linux is for geeks and you have to be pretty savy to use it, but now in order to use a Windows system safely you have to know your system to an extreme amount. Check every update for malware scan your registery for unknown or strange keys.

All this from people who say 'TRUST US, WE'RE THE GOOD GUYS."

1
1
Bronze badge

Re: @Stuart Longland

>you seem to want something for free when it actually costs something to build

Who held a gun to their head and asked them to release it for free? You are conveniently ignoring their bait and switch of claiming it is free but the cost is hidden by a EULA so long that no normal person could possibly comprehend it. Or another way to think of it is would the free* software have gained such market share if they charged for it all along? Did their decision to give it away make competitive products unprofitable?

*Free as in you can have this beer if you let me look through your fridge and note everything in there and then offer you advertisements based upon people with similar tastes)

3
0

Re: @Stuart Longland

Yeah, you've fallen for the new normal.

Adobe needs us to have Flash Player installed on our computers for their Flash creation tools to be worth buying. For years the deal was we downloaded the player for free _WITHOUT_ any crapware being snuck in along with it and they sold developer tools to make their coin. A few years ago some dimwit decided that Adobe could just shit on users and we'd put up with it or at least we'd not raise too much of a stink. So they have now "monetized" the download of their free player.

2
0

Re: @Stuart Longland

"you seem to want something for free "

Herpes is free too. Doesn't make anyone want more of it; People like Oracle and Adobe would find a way to push it on anybody the instant there was a business to be made from it!

0
0

The most popular "bundled" software..

..That I come across:

Google Chrome.

(Admittedly, it's a sample group of two but they only trust installation of software updates. Never download.com, yet I always find GC installed without fail each time I visit.)

6
0
Silver badge

Re: The most popular "bundled" software..

Absolutely

I classify Chrome as malware for exactly this reason. The only reason nobody rags on Google for this practice is because they're so big. Hopefully if CERT US have the authority or backing to take action on this underhanded and deceptive practice, that Google will also be targeted alongside the likes of Ask and Zango. They might even manage to get the practice made illegal. Hey, I can dream, can't I?

6
1
Silver badge

Re: The most popular "bundled" software..

Two words

Srware iron

0
0
Silver badge
Holmes

Weirdly, last time I installed NoScript, I don't know what happened and I suddenly was on a webpage with some security tool "RECOMMENDED BY EDWARD SNOWDEN"

I got the fuck out as fast as possible.

3
0
Bronze badge

Shove junk that I don't want into your downloads?

I stop using your software.

At BEST, I remove the junk and keep a "clean" version someone on my network that I only ever use to install from (i.e. you not only lose your paid-for junk, but quite likely any future updates, and I'll start looking for alternatives).

It's things like this that force me to move towards software where I have a choice. I'm not a GNU/FSF fan at all, but to me open-software does precisely what I need to do and nothing more, especially where installation is concerned.

Don't even get me started on the places that take freeware like Irfanview and "bundle" it for no reason (surely against the EULA of a lot of this software, if it isn't and it was my software, it most certainly would be very quickly).

Honestly, a great way to turn off your customers. And you know what, a ZIP utility installing a browser toolbar is NOT something that ANYONE actually wants. Stop it. I'm looking at you IZArc, that I recommended and used personally for years until you started that nonsense.

And why do I get annoyed? Precisely because I want you doing NOTHING MORE than you absolutely need to do to do the job, because of problems like this. Especially when you want to insert yourself into my web-browsing path, redirect my searches, even change my proxy to something third-party. It's a massive security issue, even if things aren't written by a technically incompetent programmer, or maliciously intended.

9
0
Big Brother

Did we enter a time loop? Are we heading back to the days of clandestine spyware installations of the early 2000's? Will I need to start using Spybot - Search & Destroy again? Will we ever reach a point where we no longer have to lecture the average user and tell them to stop being so click happy and to read what's on the screen?

5
0
Stop

"Will we ever reach a point where we no longer have to lecture. . ."

No.

0
0

paint.net

Try downloading Paint.NET - a programme which itself doesn't come with this crap - but trying to download it on a browser without ad-blockers pretty much guarantees you'll either download some crap or end up on the mirrors website (even when you know how bad the site is).

0
0

Re: paint.net

Those misleading advertisement download buttons are exactly why I now run AdBlock all the time. I've decided I'd rather feel mildly guilty about not supporting the web sites I visit than be constantly bombarded by crap that wastes my time and serves no purpose (because I'm not going to download their fake crap anyway). That and the talking ads, those should be illegal and if your site has them you'd better believe that 90%+ of your readers are running adblock right now.

3
0
Bronze badge

Re: paint.net

The thing about websites complaining about advertising blocking... it's like the Mafia complaining about having their bats taken off them.

Some people fund their own websites out of their own pocket. Others fund them in other ways.

Once I know the adverts are SAFE, then I might turn off an adblocker. Until then, the only adds you get to show, are ones part of your content, not ones passed through dodgy Google algorithms with zero safety checks.

1
0
Anonymous Coward

As far as I can see, the only difference between a "foistware" and a virus is that the author of the foistware can be identified.

So I don't understand why they haven't been rounded up and put in jail.

3
0
Anonymous Coward

They are "businesses" remember: Legally "individuals" with rights, but no responsibility. A business does not go to jail, it pays a "settlement" of a few % of the profits - with shareholders money - and carry right on.

0
0
Silver badge

Duh and or Olá!

0
0

This stops if it's made into law that if given software A wants to install a given software B on which software A is not directly dependent, the opt out option is made to be the default one and the maker of software A is directly responsible for any damages caused by software B installation/usage.

1000000:1 as no developer will take on those hot potatoes anymore.

I'll get flammed for this, but Google is seriously dumb for not jumping on this opportunity. They'd need so little work to add this to their revenue stream it's dumbfounding how they never managed to get it going (properly)... Alas, our great advertising overlords are not as omni as we make them out to be...

1
0
Bronze badge

Nah. They will do the same all companies do... skirt the law. They would just make everything dependant on browser toolbars.

Know the term "unintended consequences"?

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon