back to article Horrid checkbox download bundlers drop patch-frozen Chrome

The public service announcement is simple: only install browsers from their vendors' sites, because software attics are planting malware. A download bundler has been caught unloading junk that will kill user's browser updates across the likes of Google Chrome, Firefox, and Internet Explorer. The bundler - part of what amounts …

  1. Anonymous Coward
    Anonymous Coward

    Bah! Now with extra unrequested humbug.

    The public service announcement is simple: only install browsers from their vendors' sites, because software attics are planting malware.

    Bundlers are designed to fool users into installing extra software by checking tickboxes by default and including difficult-to-find text.

    Using the vendor's site does not avoid such subterfuge. For this and other reasons, there are no Adobe or Oracle products, paid or freely available, on my computers.

    1. Sandtitz Silver badge
      Flame

      Re: Bah! Now with extra unrequested humbug.

      "Using the vendor's site does not avoid such subterfuge. For this and other reasons, there are no Adobe or Oracle products, paid or freely available, on my computers."

      Apple should be in that list too. Installing iTunes usually means that sooner rather than later your PC also has Quicktime, Safari and Bonjour, all of which are practically useless for 99% of users. Thankfully Safari was dropped but many, MANY computers still have the out-of-date insecure version installed that Apple just apparently abandoned without a notice.

      I haven't seen the Adobe update processes offering anything but updates, too bad their free downloads usually have Chrome or McAfee tickboxes checked by default.

      Is the revenue from these shitty 3rd party downloads so great that these Billion dollar companies like Oracle and Apple feel the money really outweighs the badwill they generate? How much does Google (for example) pay Adobe to have Chrome installed along with Reader or Flash?

      1. I ain't Spartacus Gold badge

        Re: Bah! Now with extra unrequested humbug.

        I'd love to have seen the anti-virus vendors bin Chrome as malware. It installs itself on people's PCs when they didn't ask for it - therefore in my book it's malware.

        I admit it would be childish, and who wants to get into a pissing contest with Google anyway.

        I noticed a few years ago that loads of people who don't even know what a browser is ("I click on the blue E to get to Google...") had Chrome installed. And I noticed that it was getting dodgily downloaded all over the place, along with that bloody Google toolbar. But I've not seen it do that for a while, until I went to download Flash last week, and saw that it had replaced McAfee Security Scan as their ticked checkbox crapware of choice again.

      2. Chris King

        Re: Bah! Now with extra unrequested humbug.

        Using the "consumer" download links always gets you those "helpful" little extras from Adobe.

        The versions they supply for corporates (which are downloadable if you know the right URL's) don't contain any bundled crap.

        Java installers are a pain in the arse, but these registry keys used to end the madness, haven't checked recently if they still do:

        Windows Registry Editor Version 5.00

        [HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft]

        “SPONSORS”=”DISABLE”

        [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft]

        “SPONSORS”=”DISABLE”

        1. graeme leggett Silver badge

          Re: Bah! Now with extra unrequested humbug.

          Its easier for the masses just to go to the bottom ( I wonder why it's there....) of the advanced options in the java control panel.

      3. The Quiet One

        Re: Bah! Now with extra unrequested humbug.

        Don't forget all the Java updates trying to force "Ask" or yahoo(!) on you. I hate that kind of thing with the burning passion of 1000 suns. This is how people end up with so many toolbars in IE that the actual usable browsing space is about 100 pixels tall......

        If you are shipping a product, ship THAT product alone and free from other shite, please.

  2. Anonymous Coward
    Anonymous Coward

    This:

    ensures they are open to attacks from new exploits that they will not receive.

    Eh????

    I know TFI Friday but how can a user be open to an exploit they wont recieve or am i just mis-reading that line???

    1. VinceH

      Re: This:

      It's a little messed up, isn't it? The full sentence should probably read:

      "That move not only exposes users to vulnerabilities patched in newer versions of Chrome but ensures they are open to attacks from new exploits that for which they will also not receive patches."

  3. chivo243 Silver badge

    chrome?

    Seriously, who would install chrome from some file house. Just open any other browser and go to google dot com and click the little badge on the right side that says "a better way to browse the web" "Get Google Chrome".

    1. johnfbw

      Re: chrome?

      Some places block Google. (not sure if China still does)

    2. Thrud61

      Re: chrome?

      For a while searching for google chrome download in Bing returned a top sponsored link that was one of these bundles, but the site it went to was intended to look like the official google chrome site, the downloaded installer was stuffed with nasties.

      1. JCitizen
        Coffee/keyboard

        Re: chrome?

        @Thrud61

        If you have MBAM Pro installed, it will block that link when you click on it. I guess since it is Bing, it makes sense to put a malicious add at the top of such searches. I never hear promises to cleanup the links, like Google does. A wink and a nod from Redmond!

    3. Anonymous Coward
      Anonymous Coward

      Re: chrome?

      Probably the majority of people that may want something like a freeware photo editor, go to many of the sites out there, click on the massive download link and then fail to notice the tiny box that says Advanced settings, then fail to untick all the default check boxes hidden away, except the ones that need to stay ticked of course.

      i.e. about 99.5% of the normal population.

  4. SecretSonOfHG

    Google being "the internet" is part of the problem

    I've seen it happening many times, especially from unsophisticated users: the underlying problem is that they don't know what the browser's address bar is for. You tell them "installl XXX" and they type that into the Google search box, and then blindly click on the first result without looking at the URL. There are lots of popular free programs whose first Google result is some "bundle" instead of the genuine source.

    1. Chris King

      Re: Google being "the internet" is part of the problem

      Yes, I've seen this happen too.

      I was once called out to look at a couple of machines that had suddenly run out of disk space - seems that the users wanted to install RealPlayer and downloaded it from the first hit from Google.

      On that particular day, result #1 wasn't Real Networks, but a Russian site offering malware.

      The "Cracked by...." banner that the installer popped up didn't clue them in that something was wrong. They even sat and watched as their new chums installed FTP servers and turned their machines into warez depots.

      *facepalm*

      Guess who didn't get admin rights after their machines were rebuilt ?

      1. Tannin

        Re: Google being "the internet" is part of the problem

        "it seems that the users wanted to install RealPlayer and downloaded it from the first hit from Google."

        Hmmm ...

        Real Player. They wanted to install it.

        Oh dear.

        1. John Riddoch

          Re: Google being "the internet" is part of the problem

          There was a time where Real Player was pretty much your only media streaming player out there that worked (albeit poorly). Add in proprietary formats that only Real Player supported and it became a "must have" for many people. However, if this was in the last 10 years (or more, probably), there was very little justification for using it.

    2. Vinyl-Junkie
      Joke

      Re: Google being "the internet" is part of the problem

      Probably not a good idea to type XXX into your Google search box!

      Just sayin'

    3. keithpeter Silver badge
      Coat

      Re: Google being "the internet" is part of the problem

      "...they don't know what the browser's address bar is for..."

      @SecretSonOfHG and all

      I teach Maths to adults in evening classes in UK. I usually book an IT room early in the year and show people where the good GCSE Maths videos are (Corbettmaths/Hegartymaths &c) and how to connect to the College VLE so they can get notes and links.

      Yes, the session does turn into a basic IT demo quite quickly.

      About one third of most classes haven't a clue, another third have a clue but use Google as a universal interface to Web sites and the remaining third (give or take) are up with it all. We adopt a peer tutoring approach. We get there...

      The middle third actually have a point: try navigating an exam board Web site to find a GCSE Maths past paper as a .pdf file. Then try googling with a phrase like "$exam_board Maths Foundation Paper" where $exam_board=[AQA|Edexcel|OCR] and see the difference. "Information Architects" take note.

    4. TeeCee Gold badge
      Facepalm

      Re: Google being "the internet" is part of the problem

      Probably doesn't help that world+dog (including the bloody government FFS) has moved in their advertising from "go to xyz.com" to "search online for xyz".

      If they're all now getting screwed by SEO[1] scumbaggery, they need to look in the mirror to see the problem.

      [1] The dodgy sites will always have better search rankings than the vanilla ones, as gaming search engines is a more appealing career for scumbags than it is for others.

  5. Uncle Slacky Silver badge
    Linux

    Repositories?

    Who'd install stuff downloaded from a website when you can just apt-get it from your repo?

    1. CAPS LOCK

      Exactly, I used to have all this nonsense when I ran Windows...

      ... now it's just a quick to the Software Manager (not the cli!) and I'm done. Sooooooooo much easier and better.

      1. Anonymous Coward
        Anonymous Coward

        Re: Exactly, I used to have all this nonsense when I ran Windows...

        ...until your Software Manager turns up no matches. Then it's back to the trenches like everyone else...

        1. CAPS LOCK

          Re: Exactly, I used to have all this nonsense when I ran Windows...

          >...until your Software Manager turns up no matches. Then it's back to

          > the trenches like everyone else...

          Hasn't happened. Mind you I ask on the very helpful [redacted] forum. You should try it, you might be surprised. I won't tell anyone, and you can keep on working for Microsoft Online Reputation Management.

          1. Anonymous Coward
            Anonymous Coward

            Re: Exactly, I used to have all this nonsense when I ran Windows...

            "Hasn't happened. Mind you I ask on the very helpful [redacted] forum."

            Must not be very helpful if it's name has been redacted. Meanwhile, I DID have regular trouble finding an application in a stright-up Software Manager. Some I have to add a new repository; others I have to download and compile source code (both security risks). So I'm speaking from firsthand experience.

            You also have to consider Joe Ordinary if you intend to help Linux take over the world. Until Joe Ordinary can basically turn a key and get everything to work (including the occasional obscure thing like games), you're more likely to irk them than win them over.

    2. Little Mouse

      Re: Repositories?

      "you can just apt-get it from your repo"

      Who? Most People won't have the faintest idea what that even means, let alone why it would be better.

      1. Anonymous Coward
        Anonymous Coward

        Re: Repositories?

        >LM

        "Who? Most People won't have the faintest idea what that even means, let alone why it would be better."

        Erm, this is "The Register" which happens to be a technical and computing publication, not Pig Farmers Monthly so I'd expect most readers here to know what it means and those that don't have the nous to use Google. The tiny minority that can't fulfil either of those criteria then pop off to your local newsagents and order a copy of Pig Farmers Monthly instead of reading The Register.

        1. This post has been deleted by its author

      2. Anonymous Bullard

        Re: Repositories?

        Who? Most People won't have the faintest idea what that even means

        Yet they're more than capable of doing the same thing on their phones and tablets.

    3. Anonymous Coward
      Anonymous Coward

      Re: Repositories?

      Most people probably don't know about Chocolatey, a third party repository equivalent for Windows, which often includes extra installation scripting to auto-disable crap installation in shameful official installers.

      I think that most people using Windows should have Unchecky installed, to most of the time auto-select the right options in installers to not install bundled crap. Some anti-virus also spot some of the crap and block it.

      I'll never install Chrome because it spies on you, and because it is stupid and insecure to install application software in the user profile. I install SRWare Iron and Opera instead as fallback browsers.

      If Oracle are still bundling crap with the JRE (they don't for the SDK), then it is deeply hypocritical with their security policies and quite stupid public relations!

      I shun Adobe as much as possible anyway because I dislike /all/ of their products, including for security reasons. I'd like to see Flash dead and unsupported by all browsers because I think it is a far worse security risk than Java!

  6. jason 7

    Unchecky

    I now install this on customers machines. I find a lot less crap on their machines when they bring them back a year or more later.

  7. Tommyinoz

    apt-get is your friend

    This is an old Windows issue. The Windows culture is to go to a search engine, search for the application you want, go to the website and download the setup file, launch the setup program, type in your admin password and hope hope for the best. You don't know what the hell that setup.exe file is going to do once you give your permission to run.

    Wouldn't it be great if there was a simple command that people could type in (or cut and paste) and it would automatically download and install the application from a trusted source and it would just work? Maybe the command could look something like this:

    sudo apt-get install google-chrome-stable

    Or just use the easy to use Software Manager if you prefer to use a graphical interface.

    Anyway, people keep telling me that Windows Store is the answer. So I blew the dust off my Windows 10 laptop to take a look. I started the Windows Store and started searching. I couldn't find Chrome or Firefox. Searching for 'office' returned only mobile versions of Word, Excel, Powerpoint, etc. So it's totally useless.

    1. Anonymous Coward
      FAIL

      Re: apt-get is your friend

      "sudo apt-get install google-chrome-stable"

      And we wonder why people still use Windows. FFS

      1. Tommyinoz
        Thumb Up

        Re: And we wonder why people still use Windows. FFS

        If the command line scares you, you can always use Software Manager.

        1. Unbelievable!

          Re: And we wonder why people still use Windows. FFS

          yeah i think he meant that using 'Chrome' in the apt-get cmd line for the example. there are better examples..like opera perhaps? Anyway apt-get, in theory, could still connect anywhere and download crud.... that's how malware works. it misdirects and deceives don't ya know ;)

      2. captain veg Silver badge

        Re: apt-get is your friend

        Ever tried WiFi-tethering your mobile to a Win8 machine (i.e. ad hoc)? There is no GUI option, and the required command lines are arcane, to say the least.

        -A.

        1. cbars Silver badge

          Re: apt-get is your friend

          hotspot

      3. Anonymous Coward
        Anonymous Coward

        Re: apt-get is your friend

        @Lost All Faith

        So Powershell must scare the pants off you then ?

        1. jason 7

          Re: apt-get is your friend

          Never had to use it.

          I use CMD to switch off hibernation and reset the IP config a few times a year. That's it.

          Usually there is a one click button that does most things. Its the 21st century after all.

          1. Anonymous Coward
            Anonymous Coward

            Re: apt-get is your friend

            "Usually there is a one click button that does most things"

            Apart from when you're trying to download some software, in that case there's 6 one click buttons of which only one of them isn't some sort of scam.

            One of the many reasons Windows isn't on my kids computers.

            1. jason 7

              Re: apt-get is your friend

              Your kids...not my problem.

  8. jason 7

    Ninite

    www.ninite.com

    The best for Windows machines.

  9. Maty

    then there's EULA ...

    I was halfway through downloading my weekly magazine onto the iPad when up pops Apple's 'Your terms and conditions have changed. Please read this frigging 52-page document of legalese in fine print and then click 'I agree' before you can get on with your magazine and morning tea and toast. (Please note there is no 'I disagree' button.)'

    Like 99.99% of the population I agreed to something I had not read. I might have agreed to sell my first born to Satan, accept unpatched versions of Adobe, or agreed to install and never delete iTunes.

    The whole system is broken

  10. pixl97

    You know you're infected when

    "Updates have been disabled by the administrator"

    When I see that in Chrome the next tool running is MalwareBytes.

  11. CAPS LOCK

    Microsoft Online Reputation Management are hard at work today....

    ... Perhaps they have a lot of free time?

    1. dogged

      Re: Microsoft Online Reputation Management are hard at work today....

      Hey fanboy.

      This article is about badness in installers used by end-users. It is not an OS advocacy article or an opportunity for you to be smug. Discuss the problem as it applies to end-users or fuck off.

    2. I ain't Spartacus Gold badge

      Re: Microsoft Online Reputation Management are hard at work today....

      CAPS LOCK,

      I presume you're an unpaid reputation manager for Linux. The problem is that if you come across as a smug self-satisfied arse, that what you're achieving is to manage to reduce the reputation of Linux. Which would be a shame.

      Linux is great. Windows is also great. Lots of people were very nice about Windows 7. 8, not so much, but I happen to think 10 is quite nice. For those who disagree, 7's still around.

      This is a problem about scummy vendors installing more software than you asked for. Which would be equally possible with Linux. Obviously in a lot of cases this is user-error, in that they're installing stuff they shouldn't trust. But there's also Oracle and Adobe doing it, who should bloody well know better. And of course Google are the ones paying Adobe to do it, with Chrome and their crappy old toolbar.

  12. Anonymous Coward
    Anonymous Coward

    Money talks

    Doesn't seem beyond the wit of a major's lawyers to write terms that prevent their product installer being included as part of or alongside any other package unless explicitly agreed to in writing. Then they go after bundlers. Probably helpful to launch a mass media campaign along the lines of "get the real deal. google.com/chrome. Anything else just isn't Google"

    That then leaves the people who actually do deals to bundle extras with their products. Oracle and Adobe, I'm looking at you. Not sure what to do here except block them from getting on machines in the first place (via GPO, chef or a baseball bat, I'm not choosy) and mandating in supply chain that no one gets our business if Java or Flash is a requirement.

  13. Jim-234

    The ones I hate the most are the high profile sites that like to grab good decent opensource packages and bundle a bunch malware around them like... SourceForge... vile den of wretched greed...

    That being said, the sooner Flash and other such Adobe crap can vanish the better... then if we could only get rid of that Java abomination.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like