Horrid checkbox download bundlers drop patch-frozen Chrome The public service announcement is simple: only install browsers from their vendors' sites, because software attics are planting malware. A download bundler has been caught unloading junk that will kill user's browser updates across the likes of Google Chrome, Firefox, and Internet Explorer. The bundler - part of what amounts …
The public service announcement is simple: only install browsers from their vendors' sites, because software attics are planting malware.
…
Bundlers are designed to fool users into installing extra software by checking tickboxes by default and including difficult-to-find text.
Using the vendor's site does not avoid such subterfuge. For this and other reasons, there are no Adobe or Oracle products, paid or freely available, on my computers.
"Using the vendor's site does not avoid such subterfuge. For this and other reasons, there are no Adobe or Oracle products, paid or freely available, on my computers."
Apple should be in that list too. Installing iTunes usually means that sooner rather than later your PC also has Quicktime, Safari and Bonjour, all of which are practically useless for 99% of users. Thankfully Safari was dropped but many, MANY computers still have the out-of-date insecure version installed that Apple just apparently abandoned without a notice.
I haven't seen the Adobe update processes offering anything but updates, too bad their free downloads usually have Chrome or McAfee tickboxes checked by default.
Is the revenue from these shitty 3rd party downloads so great that these Billion dollar companies like Oracle and Apple feel the money really outweighs the badwill they generate? How much does Google (for example) pay Adobe to have Chrome installed along with Reader or Flash?
I'd love to have seen the anti-virus vendors bin Chrome as malware. It installs itself on people's PCs when they didn't ask for it - therefore in my book it's malware.
I admit it would be childish, and who wants to get into a pissing contest with Google anyway.
I noticed a few years ago that loads of people who don't even know what a browser is ("I click on the blue E to get to Google...") had Chrome installed. And I noticed that it was getting dodgily downloaded all over the place, along with that bloody Google toolbar. But I've not seen it do that for a while, until I went to download Flash last week, and saw that it had replaced McAfee Security Scan as their ticked checkbox crapware of choice again.
Using the "consumer" download links always gets you those "helpful" little extras from Adobe.
The versions they supply for corporates (which are downloadable if you know the right URL's) don't contain any bundled crap.
Java installers are a pain in the arse, but these registry keys used to end the madness, haven't checked recently if they still do:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft]
“SPONSORS”=”DISABLE”
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft]
“SPONSORS”=”DISABLE”
Don't forget all the Java updates trying to force "Ask" or yahoo(!) on you. I hate that kind of thing with the burning passion of 1000 suns. This is how people end up with so many toolbars in IE that the actual usable browsing space is about 100 pixels tall......
If you are shipping a product, ship THAT product alone and free from other shite, please.
Probably the majority of people that may want something like a freeware photo editor, go to many of the sites out there, click on the massive download link and then fail to notice the tiny box that says Advanced settings, then fail to untick all the default check boxes hidden away, except the ones that need to stay ticked of course.
i.e. about 99.5% of the normal population.
I've seen it happening many times, especially from unsophisticated users: the underlying problem is that they don't know what the browser's address bar is for. You tell them "installl XXX" and they type that into the Google search box, and then blindly click on the first result without looking at the URL. There are lots of popular free programs whose first Google result is some "bundle" instead of the genuine source.
Yes, I've seen this happen too.
I was once called out to look at a couple of machines that had suddenly run out of disk space - seems that the users wanted to install RealPlayer and downloaded it from the first hit from Google.
On that particular day, result #1 wasn't Real Networks, but a Russian site offering malware.
The "Cracked by...." banner that the installer popped up didn't clue them in that something was wrong. They even sat and watched as their new chums installed FTP servers and turned their machines into warez depots.
*facepalm*
Guess who didn't get admin rights after their machines were rebuilt ?
There was a time where Real Player was pretty much your only media streaming player out there that worked (albeit poorly). Add in proprietary formats that only Real Player supported and it became a "must have" for many people. However, if this was in the last 10 years (or more, probably), there was very little justification for using it.
"...they don't know what the browser's address bar is for..."
@SecretSonOfHG and all
I teach Maths to adults in evening classes in UK. I usually book an IT room early in the year and show people where the good GCSE Maths videos are (Corbettmaths/Hegartymaths &c) and how to connect to the College VLE so they can get notes and links.
Yes, the session does turn into a basic IT demo quite quickly.
About one third of most classes haven't a clue, another third have a clue but use Google as a universal interface to Web sites and the remaining third (give or take) are up with it all. We adopt a peer tutoring approach. We get there...
The middle third actually have a point: try navigating an exam board Web site to find a GCSE Maths past paper as a .pdf file. Then try googling with a phrase like "$exam_board Maths Foundation Paper" where $exam_board=[AQA|Edexcel|OCR] and see the difference. "Information Architects" take note.
Probably doesn't help that world+dog (including the bloody government FFS) has moved in their advertising from "go to xyz.com" to "search online for xyz".
If they're all now getting screwed by SEO[1] scumbaggery, they need to look in the mirror to see the problem.
[1] The dodgy sites will always have better search rankings than the vanilla ones, as gaming search engines is a more appealing career for scumbags than it is for others.
>...until your Software Manager turns up no matches. Then it's back to
> the trenches like everyone else...
Hasn't happened. Mind you I ask on the very helpful [redacted] forum. You should try it, you might be surprised. I won't tell anyone, and you can keep on working for Microsoft Online Reputation Management.
"Hasn't happened. Mind you I ask on the very helpful [redacted] forum."
Must not be very helpful if it's name has been redacted. Meanwhile, I DID have regular trouble finding an application in a stright-up Software Manager. Some I have to add a new repository; others I have to download and compile source code (both security risks). So I'm speaking from firsthand experience.
You also have to consider Joe Ordinary if you intend to help Linux take over the world. Until Joe Ordinary can basically turn a key and get everything to work (including the occasional obscure thing like games), you're more likely to irk them than win them over.
>LM
"Who? Most People won't have the faintest idea what that even means, let alone why it would be better."
Erm, this is "The Register" which happens to be a technical and computing publication, not Pig Farmers Monthly so I'd expect most readers here to know what it means and those that don't have the nous to use Google. The tiny minority that can't fulfil either of those criteria then pop off to your local newsagents and order a copy of Pig Farmers Monthly instead of reading The Register.
This post has been deleted by its author
Most people probably don't know about Chocolatey, a third party repository equivalent for Windows, which often includes extra installation scripting to auto-disable crap installation in shameful official installers.
I think that most people using Windows should have Unchecky installed, to most of the time auto-select the right options in installers to not install bundled crap. Some anti-virus also spot some of the crap and block it.
I'll never install Chrome because it spies on you, and because it is stupid and insecure to install application software in the user profile. I install SRWare Iron and Opera instead as fallback browsers.
If Oracle are still bundling crap with the JRE (they don't for the SDK), then it is deeply hypocritical with their security policies and quite stupid public relations!
I shun Adobe as much as possible anyway because I dislike /all/ of their products, including for security reasons. I'd like to see Flash dead and unsupported by all browsers because I think it is a far worse security risk than Java!
This is an old Windows issue. The Windows culture is to go to a search engine, search for the application you want, go to the website and download the setup file, launch the setup program, type in your admin password and hope hope for the best. You don't know what the hell that setup.exe file is going to do once you give your permission to run.
Wouldn't it be great if there was a simple command that people could type in (or cut and paste) and it would automatically download and install the application from a trusted source and it would just work? Maybe the command could look something like this:
sudo apt-get install google-chrome-stable
Or just use the easy to use Software Manager if you prefer to use a graphical interface.
Anyway, people keep telling me that Windows Store is the answer. So I blew the dust off my Windows 10 laptop to take a look. I started the Windows Store and started searching. I couldn't find Chrome or Firefox. Searching for 'office' returned only mobile versions of Word, Excel, Powerpoint, etc. So it's totally useless.
yeah i think he meant that using 'Chrome' in the apt-get cmd line for the example. there are better examples..like opera perhaps? Anyway apt-get, in theory, could still connect anywhere and download crud.... that's how malware works. it misdirects and deceives don't ya know ;)
"Usually there is a one click button that does most things"
Apart from when you're trying to download some software, in that case there's 6 one click buttons of which only one of them isn't some sort of scam.
One of the many reasons Windows isn't on my kids computers.
I was halfway through downloading my weekly magazine onto the iPad when up pops Apple's 'Your terms and conditions have changed. Please read this frigging 52-page document of legalese in fine print and then click 'I agree' before you can get on with your magazine and morning tea and toast. (Please note there is no 'I disagree' button.)'
Like 99.99% of the population I agreed to something I had not read. I might have agreed to sell my first born to Satan, accept unpatched versions of Adobe, or agreed to install and never delete iTunes.
The whole system is broken
CAPS LOCK,
I presume you're an unpaid reputation manager for Linux. The problem is that if you come across as a smug self-satisfied arse, that what you're achieving is to manage to reduce the reputation of Linux. Which would be a shame.
Linux is great. Windows is also great. Lots of people were very nice about Windows 7. 8, not so much, but I happen to think 10 is quite nice. For those who disagree, 7's still around.
This is a problem about scummy vendors installing more software than you asked for. Which would be equally possible with Linux. Obviously in a lot of cases this is user-error, in that they're installing stuff they shouldn't trust. But there's also Oracle and Adobe doing it, who should bloody well know better. And of course Google are the ones paying Adobe to do it, with Chrome and their crappy old toolbar.
Doesn't seem beyond the wit of a major's lawyers to write terms that prevent their product installer being included as part of or alongside any other package unless explicitly agreed to in writing. Then they go after bundlers. Probably helpful to launch a mass media campaign along the lines of "get the real deal. google.com/chrome. Anything else just isn't Google"
That then leaves the people who actually do deals to bundle extras with their products. Oracle and Adobe, I'm looking at you. Not sure what to do here except block them from getting on machines in the first place (via GPO, chef or a baseball bat, I'm not choosy) and mandating in supply chain that no one gets our business if Java or Flash is a requirement.
The ones I hate the most are the high profile sites that like to grab good decent opensource packages and bundle a bunch malware around them like... SourceForge... vile den of wretched greed...
That being said, the sooner Flash and other such Adobe crap can vanish the better... then if we could only get rid of that Java abomination.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
