Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Software vendors piggybacking security downloads

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
wr Software vendors piggybacking security downloads
Contributor 14th Aug, 2009 00:53
Ranking: 308
Posts: 736
User Since: 30th Mar, 2008
System Score: 100%
Location: US
This weeks issue of Windows Secrets sure was an eye opener. Sun has decided to preselect 1 of 2 options on its recent update-Sun Java(tm) Java SE update 16 (6u 16). They are as follows: 1. 30 day trial of Carbonite, Inc online backup service or 2.M$ Bing Search toolbar. Some may question as to whether this is security related-I certainly think so, because if not paying attention, one of these 'piggyback surprises' will be automatically downloaded with the security update. If I wanted either of these programs I think I'm capable of finding & downloading them-I certainly don't want Sun or any other software vendor 'sneaking' them thru with their download. In my opinion "Crapware" or at the least 'Bloatware'.

http://www.calendarofupdates.com/updates/calendar4...

Follow the above link for a listing of more 'piggyback' surprises.

Regards & safe Cybersurfing, wr





--
HP Pavilion Slimline s3020n
Windows Vista Home Premium SP2 32 bit
AMD 64 Athlon X2
Firefox 24.4.0 ESR
The weakest link of a computer system is always sitting in front of the monitor.

GoneToPlaid RE: Software vendors piggybacking security downloads
Member 14th Aug, 2009 07:05
Score: 5
Posts: 71
User Since: 1st Apr 2009
System Score: 100%
Location: Atlanta, US
I couldn't agree more. Piggybacking software which is beyond the original vendor's control is a recipe for security issues, let alone the loss of company integrity. If I want adware, spyware, bloatware, et cetera, then I know where to go to get it along with identity theft, viruses, trojans, keyloggers and whatever else gets silently thrown in as well.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Software vendors piggybacking security downloads
Handling Contributor 18th Aug, 2009 01:07
Score: 11744
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@wr
I see U are a reader of Windows Secrets. A little bit of light relief for U - I wrote the following to the Editor:

"As I paying member of Windows Secrets I am very interested to know where Susan Bradley got her information from regarding JAVA update version 6 Update 16

She quotes in her article
“The latest Sun Java SE Update 16 (6u16), released on Aug. 11, includes seven security updates and fixes a few bugs. What the release notes don't document, however, is that this update comes with a surprise.”

This bold statement is not supported by Sun Java. According to the technical bulletins issued by the vendor this is a very minor bug fix & is not readily available for consumers.

Given that many believe Windows Secrets is the font of ALL knowledge it would be interesting to know:

1. What 7 security issues were cleared by Version 6 Update 16 that were not correctly patched by Version 6 Update 15?
2. What bug fixes where cleared other than the stated fix by Sun which was “JDWP threaded changes during debugging session (leading to ignored breakpoints)”

I believe the article is misleading in that it does NOT clearly state the provided U have Version 6 Update 15 U are perfectly safe, that the update is not supported by the general updater within Control Panel or the update is not on general distribution on the Sun Java website.

If my assumptions are correct it would be nice to see a corrective article that CLEARLY states the real plain English facts about updating.

If of course the article is 100% accurate & the evidence I have requested is forthcoming my intention is to take up the matter with Sun Technical Support on why they are misleading us about JAVA.

Maurice"

After much head scatching by Gizmo & his mob I got the following "politically correct" reply.

"In trying to ensure that folks are on the latest, patched version both 15 and 16 have these security fixes. Some people in some areas did receive the version 16. As you say 16 is merely a timezone fix. What I should have said was Java 15 or Java 16, rather than just 16.

Thanks."

U will note it is not a full answer to my questions. I may go back & tease them a little more - may even suggest that Susan Bradley becomes our Moon based receptionist with Gizmo as the line manager!!

Have Fun.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
wr RE: Software vendors piggybacking security downloads
Contributor 18th Aug, 2009 01:33
Score: 308
Posts: 736
User Since: 30th Mar 2008
System Score: 100%
Location: US
Hi Maurice,
I'm still laughing @ your letter-not necessarily your question(s) but the answer that was not given-or as you said 'politically correct' answer.
I also agree with your assessment of Susan Bradley-methinks she doesn't 'dig' deep enough sometimes & probably should be on Mars-at least on a part-time basis. I don't believe everything I read there, but it gives me reason to investigate matters-using my limited knowledge and ability-to really see what the facts are.
Wish I was more knowledgeable about computers & their 'workings', I would certainly 'join in the fun' teasing them.
Thanks for the post-I'm certainly having fun now.

Best regards, wr




--
HP Pavilion Slimline s3020n
Windows Vista Home Premium SP2 32 bit
AMD 64 Athlon X2
Firefox 24.4.0 ESR
The weakest link of a computer system is always sitting in front of the monitor.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Software vendors piggybacking security downloads
Handling Contributor 18th Aug, 2009 02:30
Score: 11744
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
More entertainment for U - my reply:

Thank you. In the UK we call the answer I got "politically correct" - which means bypassing the main issue.

Given that I told you that many believe Windows Secrets is the font of all knowledge & will even ignore good sound researched advice from others "because Windows Secrets does not agree" I still maintain this was a very bad piece of writing that has caused confusion.

Your reply states "Some people in some areas did receive the version 16".
Which areas? I thought Sun Java had a Global Update site. I have just tested it & it clearly states that my platform is up to date with version 6 Update 15. If U update via Control Panel you get the same result.
No surprise there because, as stated, I believe Sun JAVA have not released 16 for general consumer use.

If they have what is the URL which is also missing from the article.

Why is this article totally confusing?
1. Because it implies that update 16 had vulnerability fixes.
2. This is not supported by Sun Java or by Secunia but the "I only trust Windows Secrets Mob" think JAVA & Secunia are in error which is absolute rubbish.
3. This is compounded by updater programmes like FileHippo & Cleansoft.org who have found the hidden away update URL & are posting it.


Update 16 is a minor bug fix full stop.

Let us hope there is clarification on the next newsletter to quieten down the "Trust in Windows Secrets Only Mob"!!

Maurice


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Maurice Joyce RE: Software vendors piggybacking security downloads
Handling Contributor 18th Aug, 2009 12:27
Score: 11744
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 18th Aug, 2009 15:37
@wr
The saga has closed. I have received a flurry of emails which I wish to keep private.

It does however include the fact the an article will appear in this week's known issues clarifying the situation. Whether this article will available to non paying members is not clear.

What has become very clear is that the JAVA article was not written on fact but hearsay.

I suspect they & programmes like FileHippo/Cleansofts.org are trawling
"off piste" sites in an effort to gain upmanship on being the first to tell the general public of their new discovery rather that helping the vendor by publishing the "party line". In this instance they appear to be using a developer site here:
http://java.sun.com/javase/6/webnotes/6u16.html

Not good news for the average user who just wants to enjoy his PC without this kind of silly hassle. The latest official update for JAVA remains Version 6 Update 15.

Needless to say Susan will not be interviewed for the job of senior receptionist for Moon visitors. Accuracy is essential which is sadly lacking in this saga!!




--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
wr RE: Software vendors piggybacking security downloads
Contributor 18th Aug, 2009 17:25
Score: 308
Posts: 736
User Since: 30th Mar 2008
System Score: 100%
Location: US
Maurice,

Of course I'll respect your right to privacy regarding the emails. I also would like to give you a big thank you for digging to the bottom of this matter. I had suspicioned that possibly not all 'findings' were based on actual facts. That's why I said I always try to investigate their reports. Of course one of the best resources for that is right here @ Secunia-I'm loyal to them to a fault as my experiences have proven them to be correct 99.9% of the time. I think the reason most people have problems with programs, updates, patches, etc. is because they don't or won't follow instructions.
Having cast my .02 worth into the fray, & now almost broke from that, I'll once again say thank you.
As they say on the telly-Stay tuned, there's more to come.

Best regards, wr

--
HP Pavilion Slimline s3020n
Windows Vista Home Premium SP2 32 bit
AMD 64 Athlon X2
Firefox 24.4.0 ESR
The weakest link of a computer system is always sitting in front of the monitor.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Software vendors piggybacking security downloads
Handling Contributor 20th Aug, 2009 11:11
Score: 11744
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 20th Aug, 2009 11:12
@wr
The Windows Secrets article.

"Most recent Java update may not be offered

Susan's story referred to Sun's Java SE Update 16, which was released just a few days after Java SE Update 15 and included the security updates and bug fixes of the previous patch. After the newsletter was published, it was learned that not all users would receive Update 16, so some people with Update 15 would be told by the Java updater that their current version was the latest available.

If your PC has Java SE Update 15, you may not need the more-recent release and may indeed consider your system up-to-date."

If U can see the article on Windows Secrets U will note I was not offered a free Book,DVD or CD of my choice by Susan !!!!!!!!!!!!!!!!




--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
wr RE: Software vendors piggybacking security downloads
Contributor 21st Aug, 2009 01:33
Score: 308
Posts: 736
User Since: 30th Mar 2008
System Score: 100%
Location: US
Last edited on 21st Aug, 2009 01:44
Hi Maurice,

Sorry for the delay in posting back. Yes, the first thing I noticed was no book or cd for Maurice! I had been away from comp most of day until just now, & WS was the first thing i read in my email, & then came here to ask why you didn't get recognized for your efforts.
Guess that by showing that you are as wise(wiser?) than they are, you don't get a attaboy? Sorry to see that you weren't recognized for your efforts, but I'll bet that there are literally thousands of us who do applaud your efforts & look forward to your replies here on the Forum.
I certainly appreciate your efforts & can honestly say a great big Thank You for freely sharing your vast knowledge with us here.

Best regards, wr

Maybe Susan Bradley's new position on the Moon slowed her response time on your getting book or cd, dvd.

--
HP Pavilion Slimline s3020n
Windows Vista Home Premium SP2 32 bit
AMD 64 Athlon X2
Firefox 24.4.0 ESR
The weakest link of a computer system is always sitting in front of the monitor.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability