Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Sun and Apple Updates – A Sheer Nuisance!!

Sun and Apple Updates – A Sheer Nuisance!!

  • Comments 9
  • Likes

As you all know: I rarely blog on competitors and – even rarer – blog about them negatively. But this time I definitely had to:

As most of us I have QuickTime on my PC as well as a Java VM. I know that there are alternatives for this software and the same is true for RealPlayer, which is – for me – from Privacy perspective about where Windows Media Player has been about 6-7 years ago but this shall not be the theme here.

Regularly I am prompted by Apple to install updates – for software I do not even have. So, I am not only prompted regularly to install security updates for QuickTime (and there are a lot) but they want to force iTunes down on my machine since quite some time. Regularly I tell this updater not to prompt me anymore for this update but this seems to be valid for the current version of the product only. Today it got even worse: I was prompted again by this so-called updater to install updates and was asked to install Safari! It was not just a proposal, it was already preselected by Apple – so kind!

As well today I was asked to install a newer version of the Java VM on my private PC and guess what – why do I each time I install an update on the Java VM have to tell this installer that I do not want to install the Google toolbar? I have to de-select it as – kindness of sun – it is already pre-selected!

Why the heck do we invest a huge amount of time to teach consumers to switch on the update engines in order to get Security Updates and then our industry partners come and behave in such an irresponsible way? Let the user choose what he/she wants and then stick to it.

Now, I hear you saying that we pushed IE7 out as a Security Update. Yes, this is true but this is different than the two examples above: First of all, we only updated existing installations of Internet Explorer. So, the user chose to install it or buy a Windows with it and we updated it. From our perspective (and this was a long discussion internally) the security progress in IE7 compared to IE6 was so significant that we decided to push it out via Automatic Update.

Sun, Apple and others: Start to let the consumer choose. I do not hope that you need this kind of business models to make profit! Security Updates have to be strictly separated from the business goals as this is a job to make sure your customers use your technology in a secure way.

I will switch off these updates and try to stay current manually as these policies are simply not acceptable to me as a user

Roger

Comments
  • I agree with the point you're making here, but have you ever even seen an update of MSN Messenger? It's so awesome how every single time I have to choose NOT to install the toolbar/default search engine/MSN home page/etc...

    It got even better when Windows Live Messenger came out. I say 'yes' to an update of MSN and get a screen full of other 'handy' Windows Live applications shoved in my face. It's also apparently impossible to install Live Messenger without getting a nice link to the Live homepage in my start menu. So kind indeed.

    And check this: I go to http://get.live.com/messenger/ to install Live Messenger. There I must first choose NOT to install Live search, the MSN start page, the Live toolbar and the option to allow Microsoft to collect information on me to "help improve Windows Live". All of those are kindly checked by default. I especially like the last one.

    But here's the kicker: as I then run the installer, I must once again uncheck the option to install the MSN start page and the option to allow Microsoft to collect information on me. Talk about persistence!

  • Hi John

    I did not say that I am conpletely happy with every installer we have. As far as I know, the scenario above is for the initial installation. If I am not mistaken, you do not have to re-select (or worse re-de-select) the options with regards to the Toolbar etc. So, if you have to re-install a new version of Messenger I do not think that you have to de-select the additional options. Evne though I do not like that too much, it is acceptable to me. However, with Java, I have to de-select the Googel-Toolbar each and every time!

    Again, I do not like all the installers we have but I think at least we improved over the last few years. Are we there? No, not yet

    Does this make sense?

    Roger

  • I totaly agree on this!

    But i also think that all options presented should always be unchecked by default, no matter if they come from Microsoft Apple or others.

    Kind regards Steye

  • Roger,

    With all versions of MSN before Live Messenger, I had to uncheck the toobar/homepage/etc. options every time I installed an update.

    But, fair is fair, this doesn't appear to be the case with the Live installers. It also does not check any of the other, optional Live applications by default. So yes, I guess you have improved there.

    All I'm saying is that, yes, while it's annoying what Apple and Sun are doing with their updates, Microsoft isn't entirely devoid of this kind of behavior either. I think that no matter whether it's a first install or not, all these options for extra mumbo-jumbo should be unchecked by default. After all, I came here to install Messenger, not change my default search engine.

    John

  • :-) As I stated above, I agree with both of you. Basically we should try to anticipate what the customer wants (with regards to default installation options) and leave the rest unchecked. If I want to install Messenger, I definitley neither want to install a toolbar nor change the default search engine.

    There were - however - limitations to that and the only exception I see is Automatic Updates: When we released XP SP2 we had long discussions whether Automatic Update should be switched on by default but we did not dare back then because of the discussions above (leave options unchecked). So we decided not to check any option (so, the user could not just select "Next" but had to decide explicitely) and we made it extremely clear what we thought should be done. We changed this in Vista - Automatic Updates are switched on by default and I think we all agree that this makes sense.

    For the rest I definitely agree: The user should SELECT the options he/she wants and not have to de-select what they do not want.

    Last but not least for security updates I think at the end of the day there should be ONE mechanism how to deliver these udpates to a machine and the user experience should be consistent.

    Roger

  • Funny you mention Automatic Updates -- I think the best way to let a user choose something during software installation has been around all along: the way Windows asks you whether or not to enable the Automatic Updates when you first install it. It's two radio buttons and neither is checked by default, forcing the user to actually read and make a choice before brainlessly hitting 'next'.

    That, combined with the ability to remember choices made during previous installations, would make the perfect first-install/update combo.

    John

  • Hi John,

    this is actualy not completely true: in XP we did not pre-select anything. In Vista, Automatix Upates is switched on by default

    Roger

  • Quite some of you read my initial post on that – and I like the comments I got. Now, it seems that I

  • From Roger's blog post: http://blogs.technet.com/rhalbheer/archive/2008/03/19/sun-and-apple-update-a-sheer-nuisance.aspx

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment