In a comment posted to my earlier post on “poisoned” Windows Media files, Ben Edelman offers the sort of excellent counterpoint you’d expect from someone who is not only attending Harvard Law School but also studying for a PhD in economics at Harvard:
I don’t think it’s right to say the license agreement is “quite clear on what [users] would get.” Certainly the license never says anything like “this program will install 30+ other programs from third parties, and clog your registry with tens of thousands of new entries.”
Fair enough. My comments were not in any way meant to let the scummy purveyors of this crapware off the hook. My intent was to indicate that a security-conscious individual who follows the links in the installation dialog boxes will see plenty of stuff to raise red flags.
Update: I went back and read the terms of service for iSearch and iLookup, which was the second module installed using this file. The terms of service specifically say: “…you understand and agree that the Software may, without any further prior notice to you … automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction.” (This doesn’t excuse the actions of the purveyors of this crapware, but any aware user will know exactly what he or she is getting.)
Ben’s absolutely right that the people who are behind these add-ins are preying on ordinary users with a wide range of tricks. Sadly, I’ve seen all these tricks used before, but that doesn’t make them any more acceptable here. I agree completely with Ben when he writes:
I think Ed gives too little weight to the especially deceptive circumstances of a software installation prompt shown when users try to watch a video. For one, legitimate media players actually do use these prompts to install necessary updates (i.e. the latest version of Macromedia Flash). In addition, the unusually misleading (purported) product name and company name make it particularly easy to be led astray here. Users deserve better.
I can end this post on a positive note, by the way. After I read the most recent update to Ben’s test report (including a link to this post and a discussion of my findings), I decided to carry the test one step further. I took a deep breath and did what a naive, foolish user would do: I clicked Install when presented with the first deceptive spyware prompt. And then for good measure I clicked Install when prompted to install the second spyware program as well.
How bad was it? Surprise! My test PC is running GIANT AntiSpyware, which promptly blocked the nasty program from installing with a stern warning.
I clicked Remove, and a subsequent scan showed that no spyware — zero — was installed on this computer. I had no unexplained pop-ups, my searches went to the place they were supposed to go, my home page was unchanged, and a scan of the firewall logs showed no suspicious activity. (Curiously, the SpiderSearch program was apparently not installed at all, and the iLookup module was blocked. I don’t know if this is the one that so throughly polluted Ben’s test computer.)
Last month, Microsoft purchased the company that makes GIANT AntiSpyware and announced plans to release a free public beta of the Microsoft-branded version of this program later this month. They also announced a new set of strategic initiatives to reduce the spyware threat. Based on my experience, they’re going in the right direction.
Update: Suzi at Spyware Warrior has some comments on her blog as well. Some interesting food for thought, but this line struck me more than anything:
I installed the same WMA file on an old Win ME box with no protection except AVG free and the free version of Zone Alarm.
She goes on to describe the disaster that befell that computer. But really, isn’t that the real problem here? People running old operating systems, with only a dim awareness of the need to do updates and a willingness to install anything? Spyware is an epidemic now precisely because it is trivially easy to install it on that type of computer.
Don’t misunderstand what I’m saying. Microsoft can and should patch Windows Media Player (9 and 10) so that it rejects all ActiveX controls. Period. It should push that patch out as a Critical Update. But how likely is it that the type of user Suzi is describing will download and install that patch?