A complaint has been made about security updates that include software downloads such as toolbars from third parties.
Writing on the bleepingcomputer.com forum, one user who remained anonymous apart from calling himself ‘One Highly Annoyed User Who Refuses To Take It Anymow', complained that ‘security updates should have no other content other than security content'.
The basis of his complaint was that vendors were permitted to install third party toolbars along with security updates. He said: “A notice appears on your PC about an update for Adobe Flash Player. Adobe, in their infinite wisdom, doesn't inform users why this update has come out.
“The user, thinking that it improves the Flash Player, hurries to install it, clicking quickly through the installation pages. When the update is done, guess what? There's another toolbar installed to Internet Explorer! In the US, it will likely be either a Yahoo or Google toolbar. Lord knows which toolbar users in other regions of the world will find installed.”
He asked where vendors get the nerve to sneak toolbars onto unsuspecting users' systems in the guise of updating their applications or runtimes, and why are they allowed to behave like the criminals who install malware on unsuspecting victims' systems?
“Is it because their software is so inherently insecure that it needs security updates so often that they need to defer costs by making agreements with third party toolbar vendors?”
“Are they hoping that the senior citizens who can't read each and every installation page will not notice that another useless, unwanted toolbar is being installed along with another purported ‘upgrade' of their app/runtime/media viewer when, in reality, this ‘upgraded' version of their inherently insecure software is, in reality, a security update.”
He finished his statement by claiming that he will monitor security updates for the toolbars and ‘extras' installed along with patches. He said: “I will not stop this campaign against these vendors until they learn that security updates can not be used to increase revenue, rather, they are meant to address vulnerabilities in their software.”
Stuart Okin, managing director of Comsec Consulting, claimed that he agreed with the general principles raised, that security patches should be for security only and that software vendors should be discouraged from installing unrelated third party products. However, it is more difficult to stay pure to the principles than most people think.
Okin said: “First of all most consumers do not know or quite frankly care about the difference between a security patch or any other enhancement. When they buy or get a free product, they want it to stay secure and get updated with any of the latest enhancements.
“So how do you differentiate between the two? Microsoft does this by giving you the option to automatically install security patches, while allowing you to review the optional updates (including product enhancements).
“However, in practice, many people either don't bother to install the optional updates (as they don't know they are there) or install them all without reading them. I recently had to rebuild my laptop. The security updates downloaded automatically, but I had some 20+ optional updates - who has the time to review each of them?”
Okin further claimed that the reality of third party partnerships is that they will probably always exist to try and maximise the publishing and marketing of software gadgets – especially, as in many cases this is the only mechanism available to some of these vendors in getting a revenue stream.
“However, I think we should put pressure on these vendors to at least have the option switched off by default and that users have to actively select the install of a gadget, such as search toolbar,” said Okin.