|Home » Security
Apple Software Update
Kettle, meet pot.
'Un-freakin-believable', writes Ed Bott on his 'Windows centric' blog. Try to fight off Apple Software Update and watch what happens.
'In preparation for a trip next week I took a notebook out of mothballs and proceeded to install updates and make sure all the software and data files I need are in service. Along the way I noticed an iTunes icon on the desktop and decided to check in with Apple Software Update.'
What Ed first saw is depicted below. Note it's not just updates that are listed - it's also [ahem] 'new software'.
But Ed only wants iTunes and QuickTime. He doesn't want Safari and he doesn't want Bonjour.
'I don't want Bonjour or Safari on this machine, so I deselected the iTunes + QuickTime check box, clicked the Safari box so that both it and Bonjour were selected, and then chose Tools, Ignore Software Updates. The entries for Bonjour and Safari went away, the updater refreshed itself, and a new list appeared, containing only iTunes + QuickTime. The check box was selected already, so I clicked Install 1 Item and approved the UAC consent box.'
All taken care of?
'While the download proceeded, I opened the temporary folder where the update program stores its downloads (%LocalAppData%\Apple\Apple Software Update) and watched as the following five installer packages appeared.'
Oops. All the while the status box insisted only iTunes and QuickTime were being installed. Of course. But when the install was complete Ed peeked into his Control Panel Installed Programs.
Oops again. There's lots more than iTunes and QuickTime. And so Ed Bott is not happy with Apple.
'The mind truly boggles here. I had previously uninstalled Bonjour and Apple Mobile Device Support. When Apple Software Update offered Bonjour to me, I specifically selected it and told the Update program that I wanted to ignore that update. I'm not sure how much clearer I could have been with my wishes. And yet Apple went and installed it anyway and then reinstalled Apple Mobile Device Support. Do they have no concept of how a software installer should work?'
Now there are those who claim Ed sort of 'misunderstood' what Apple Software Update was trying to tell him - that those extra components he didn't want were in fact necessary. But he's not buying it.
'They allow me to uninstall Bonjour after the fact, so clearly it's not crucial to iTunes' functioning. They deliver it as a separate installer package, so why not (1) offer the user a choice at install time and (2) fire off the option to install Bonjour the first time a user does something that needs it? Answer: Because Apple's developers are lazy and rude.'
Ed Bott's hardly the only one angered by Apple's new attitude which can perhaps be summarised as follows.
Shucks we used to have an operating system for Windows and PCs but we don't have that any longer but the few software titles we do have today for Windows we're going to do our best to get you to download and use!
And the security implications aren't trivial either. Apple's Bonjour has been described by some security experts as the equivalent of the following network broadcast.
Hey all you hackers! Here I am! And I'm available for hacking on the following ports!
Don Rhodes put it like this on the SecurityFocus mailing list.
Anyone know 'when' they (Apple) decided to install Bonjour? First it was Safari, and now a service that allows someone, anyone, to determine the services that a computer has running?!?!?!?!
Annie Alpert puts it in a more colourful way.
'Imagine the outcry! Ears-a-burning, Apple modified ASU to group offerings based on what you have, and what they want you to have. Of course you have to update ASU (by running ASU) to get the new version.'
'Like any good resource-strangling epiphyte, the default installation of ASU runs in the background and pops up every two weeks to offer you more green fruity goodness. The check boxes for 'ITunes + QuickTime', 'QuickTime', 'ASU' AND Safari were already checked when I tried it, and a quick mouse-clicker could easily click INSTALL in haste. The Apple-Mac vs MicroSoft-PC commercials are so clever and the cute Mac Guy is dating Drew Barrymore, so maybe I expected MORE from Apple.'
Bottom line? Bonjour advertises your presence. iTunes opens ports and Bonjour tells everyone who you are and what number to call. This is important security information. Apple should show more responsibility than to foist this on unaware users - and perhaps think better of using such a technology in the first place.
Particularly on Windows machines.
Ed Bott: Apple Continue to Deceive Users
BlueDoggyDog: A Back Door Trojan Horse Filled with Fruity Goodness
SecurityFocus: Plethora of Important Product and Security Updates from Apple