Google's Mac Installation Mechanism

I just downloaded Google’s Notifier application for Macs, and was pretty surprised when, after clicking on the download link, my Mac asked me whether I wanted to start the Google Updater app “for the first time.” There was no download involved; i just clicked the download link and my Mac asked me whether I wanted to start the app.

At first, this seemed like a security issue. Did Google somehow put an app on my Mac and start it, all without my interaction? Turns out they didn’t. Here’s what Google does: They check whether you already have the updater on your disk. If so, they launch it using its URL handler (the same way an FTP url might launch your FTP client); if not, they download it to your disk. Since I already had the updater, clicking on download did not download it again, but launch it, which triggered the message asking me whether I wanted to launch the app. Here’s the relevant JS code:

if (GSPH_havePlugin()) {
   link.src="google-updater://sph?product=" + productId + "&action=install&source=web";
} else {
   link.src = downloadURL;
}

So how do they know whether I already have the updater on my Mac? That seems like a bit of a security issue, too. Turns out there’s an explanation for this, too. They simply check whether you have their plugin installed in your Browser. If so, they assume you have the app, too:

function GSPH_havePlugin() {
   var havePlugin = false;
   var deluxe = navigator.plugins["Google Update One-Click Deluxe Installer Plugin"];
   if (deluxe) {
      havePlugin = true;
   }
   return havePlugin;
}

Presumably, the plugin doesn’t actually do anything, other than serve as a flag for this piece of JavaScript.

By the way, that code is really weird, why not just write

return(navigator.plugins["Google Update One-Click Deluxe Installer Plugin"]);

or something similar? There are probably some casting issues since values like “undefined” are evaluated to “false” by JavaScript, but even so, they could write something like

return(navigator.plugins["Google Update One-Click Deluxe Installer Plugin"]?true:false);

Thus getting rid of some unneccessary variables and saving a bit of bandwith, too. Anyway, it’s a clever solution Google came up with here. My hat’s off to them!

Something else I noticed: it seems the “Do you want to open this app for the first time?” dialog only goes away if you launch it yourself from the finder; if the app is launched by an URL, Mac OS X does not seem to count this as being launched, so the error message will appear each time you download something until you launch the app manually. It’s in /Library/Google/Google Updater/, if you have it on your system.

February 20th, 2008 / Tags: google, apple, mac, installer javascript / Trackback

How to avoid catching a Computer Virus

First of all, forget about Antivirus Software. As Jeff Atwood writes, blacklisting viruses does not work. The sum of all issues Antivirus software causes is a lot bigger than the sum of all issues you avoid by having Antivirus software installed. In other words, the problems Antivirus software causes are worse than the viruses you get by not having Antivirus software.

So how do you avoid viruses? Here are a few hints:

• Avoid market leaders. Viruses generally target software with large installation bases. Use a Mac or Ubuntu instead of Windows. If you have to use Windows, use Firefox (preferably with NoScript) instead of Internet Explorer. Do not use Microsoft’s e-Mail applications. Do not use Office applications such as Word, Excel or Powerpoint if you don’t have to. If you have to read documents from these applications, use third-party applications which can read the formats such as Open Office, Google Docs, Text Edit in Mac OS X, or iWork.

• Do not run as Administrator or root. Create a second, normal user account and use your computer running this account.

• Think before you enter your Administrator password. When you’re not running as Administrator, applications will sometimes request additional privileges to access data your current user does not have the rights to. Don’t just enter your password. Consider the application requesting additional rights. Does it really need those rights? What for?

• Run a firewall. Most modern operating systems come with a firewall installed out of the box. Activate it if it’s not activated by default (bad Apple!).

• Use a spam filter. A good solution is to use gmail to access your mail accounts, and then access gmail from your mail application. Gmail has a built-in spam filter, as well as a malware detector. Furthermore, it’s generally a good idea to discard spam messages without opening them. Opening a spam message could potentially exploit a buffer overflow issue in your mail application or browser. If you can identify spam by its subject and sender, just delete it without opening it.

• Do not run applications you did not get from a trusted source. There are only two trusted sources: CDs given to you by an official vendor, and the software vendor’s official homepage.

• Use virtualization for risky applications. You can use Internet Explorer without any risk, as long as you run the application within a virtual computer. Use VMWare, Parallels or a similar solution to run risky applications. Make sure that the application is sandboxed, i.e. has no access to your “real” computer from within the virtualized computer.

• Keep incremental backups. There is no absolute security, no matter what you do. Chances are, you’ll get a virus sooner or later, and you’ll lose data. If that happens, don’t try to get rid of the virus. Instead, roll your whole system back to the state before the infection. Mac OS X makes this extremely easy, just buy a big external disk, plug it into your Mac, and it’ll ask you whether you want to use it for your backup. That’s it. It’s easier to backup than to not backup, so just do it.

Above all, don’t be stupid. If you don’t du dumb things like visiting untrusted sites with Internet Explorer, or launch applications you’ve downrobbed from some torrent site, you probably won’t get infected.

TidBITS agrees :-)

January 8th, 2008 / Tags: virus, virtualization, parallels, vmware, internet explorer, firefox, ubuntu, mac / Trackback