Microsoft Backpedals Furiously
For anyone using the free Microsoft Anti-Spyware program (beta), you may have recently heard some loud complaints from those in the security community regarding Microsoft’s downgrading of a known adware software, Claria. Claria’s former name was Gator and was bundled with the infamous file-sharing app, Kazaa. The Claria adware monitors surfers’ habits and displays ads as they traverse the Web. Interestingly enough, the downgrade (from recommended action: "delete" to "quarantine") came just as Microsoft was in the process of acquisitioning the company. Coincidence? I think not.
The barrage of criticism did not fall on deaf ears at Microsoft. They recently posted a letter online to respond to the complaints. An exerpt:
Dear Customer,
This week we received some questions around Microsoft’s classification of Claria software in our Microsoft Windows AntiSpyware (Beta). We wanted to take this opportunity to clear up any misconceptions and explain our current policies and practices.
As you may know, the analysis of software is based on a single set of objective criteria, which can be found on our web site: Windows AntiSpyware (Beta): Analysis approach and categories.
Microsoft offers all software companies the opportunity to request a review of how Microsoft classifies their products through our vendor dispute process. In January, Claria filed a request for Microsoft to reevaluate some of its products. Upon review of their software against our criteria, we determined that continued detection of Claria’s products was indeed appropriate. We also decided that adjustments should be made to the classification of Claria software in order to be fair and consistent with how Windows AntiSpyware (Beta) handles similar software from other vendors. At the end of March, we communicated to Claria the result of our analysis through our standard process.
However, reading between the lines, this looks like an effort to explain the downgrade, as opposed to correcting it. Additionally, it seems to imply that other similar adware will also be downgraded in the same way. If that’s the case, the Microsoft Anti-Spyware program becomes useless to protect users against the real damage done by these programs: slowing the system down, tracking them online, and popping up unwanted ads. Can we say another one bites the dust?
Follow the conversation at YackTrack!
I’ve been using Spybot S&D, but downloaded Microsofts program at the advice of the St Pete Times Tech columnist. Spybot S&D still continues to catch a lot of spyware that Microsoft doesnt pick up. even with the updates!
I dont trust ‘em, not one bit.
Thanks, I didn’t know about this message. But Well i’m really not surprised by this move. I guess this will also be very costly for their antivirus. Who would want a MS-branded troll acting as a spyware on his machine?
I’ve always been using AdAware coupled to Y!AntiSpy
It would be Microsoft…
Another vote for Spybot S&D. Great product and it’s free!
Maybe Microsoft is looking to acquire Claira soon. Echoing Laura’s and thegax’s comments, thank god for Spybot.
Ajay
- Sarah
I’m confused. Are you saying that you don’t want MS to treat Claria fairly? That they should have a special set of criteria for that one company, instead of objectively treating them like everyone else?
If you’ve used AntiSpyware, you’ll know that it warns you when you (the user) are installing this software. It also notifies you that it’s on the system *every* night when the full scan runs. The only difference now is that the default action is not to delete the software from teh system.
If you look at MS’ whitepaper on the subject (http://www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx), you’ll see a very apropos quote there: “Unlike other forms of software, which tend to either be “good” or “bad,” spyware often exists in shades of “gray.” With the exception of malicious behaviors, many of the behaviors could have legitimate purposes. The potential for harm and disruption to the user’s PC experience depends on the specific behaviors demonstrated by a given program.”
In the case of Claria you have a program which the user explicitly installed after being presented both with a Eula and a Privacy Policy page. The software is up front about hwat it does, and it make no effort to stop you from uninstalling it (in fact, there’s a very simple uninstaller in add/remove programs that you can use).
On top of that, many legitimate ISVs bundle their wares with Claria because they use the advertising portion to help support the software they write, similar to how you see ads on the web when you visit any site (like google).
If you automatically remove this software when the user installs AntiSpyware then you’re going to break programs that the user wants to run.
Given all this, don’t you think it’s better for the software to just notify the user that adware was detected and then let the user decide waht they want to do about it?
Nobody reads EULAs - a fact that’s been exploited for quite some time by adware/spyware vendors. Just because a user inadvertently agrees to a spyware install (and, imo, adware is pretty much spyware if it tracks your websurfing in order to target ads to you), it doesn’t mean that the user wants the spyware on their computer. And gosh darn it, if their file-sharing program where they are downloading illegal mp3s breaks because of it, well, that’s just too bad.
Sarah: This is why i mentioned the quote about: ’spyware often exists in shades of “gray.”‘
For example, DivX (at one at least) shipped with Gain, and was very up front about this fact. If you removed this additional part of the install, then you would break DivX.
So, by your opinion, ms Anti-spyware should break DivX by default. This could end up seriously pissing off a lot of people who were fine with the install and who wanted DivX to work.
Also, you mention: “Just because a user inadvertently agrees to a spyware install (and, imo, adware is pretty much spyware if it tracks your websurfing in order to target ads to you), it doesn’t mean that the user wants the spyware on their computer.”
Well, then it’s good that MS-AntiSpyware does inform the user about the spyware both at *install* time, and *every* time Anti-spyware runs.
If the user does not want that software, they can make an informed decision about this.
Let me give you another example. AOL Instant messenger comes with a eula, has an add/remove entry, and offers advertisements to the user. By your definition it would be ok to automatically remove AIM.
Don’t you see why it’s important to remain impartial and to treat all software vendors equally? Wouldn’t it be a huge conflict of interest if MS could trest ISVs arbitrarily?
Finally: “if their file-sharing program where they are downloading illegal mp3s breaks because of it, well, that’s just too bad.”
I find this to be a very distasteful attitude to have towards users. You’re saying that MS should be judge and jury over all software, regardless of what the other software company *or* the user wants. That MS should automatically assume that because a user has a p2p software client that installed ad-ware, that the user must only be using it for illegal uses, and thus it’s ok to break their software.
Users do not respond happily to this sort of thing. Can you imagine the backlash that would happen if these clients started breaking all over the world? What about if AIM started getting blocked (using your criteria), or if anti-spyware started blocking ads from google, etc. etc. etc.
These are enormously complicated problems, and the only way to responsibly deal with them is to have a fair and consistent policy that you apply to *everyone*.
I was being flippant when I said that (”too bad”). My real problem with file-sharing is that the users don’t read the EULAs and don’t know that they are downloading all the junk that comes with it. But I think to compare adware to AIM’s ads is not a fair comparison. So fine, if MS wants all adware to be downgraded to quarantine to be “fair”, that’s their choice. They are not alone: http://www.esecurityplanet.com.....hp/3505361.
My choice would be to run a program that automatically removes adware though. Personal preference I guess.
– Sarah
That seems quite reasonable. Maybe in the future the program could come with a “tolerance” slider. So you could say “i don’t want to have *any* ads of *any* kind”. Then by default, these apps would be cleaned up for you automatically.
And yes, users not reading EULAs is an extraordinarily difficul tthing to deal with. THat’s why malware is so hard… HOw do you distinguish legitimate versus not?
With software that actively hides itself, or commits blatently hostile actions (DOS’es, crashes, corruption, etc.) it’s clear. When it’s at the other end up the spectrum it’s not so simple anymore.
Clearly we don’t view all ads as being problamatic. Google/GMail/AIM/etc. all shows ads as part of their design.
It’s a tough problem and i think that user education should be a big part of solving it.