X
Business

Adobe's latest critical security update pushes scareware

Adobe just released a critical Flash Player security update. Good news: it includes a new automatic updater for Windows. Bad news: Adobe's download page pushes a misleading "system optimizer" designed to scare users into paying for unneeded repairs.
Written by Ed Bott, Senior Contributing Editor

Update: Even on a completely clean installation of Windows 7, the "system optimizer" utility I discuss in this post found hundreds of "critical errors" that could only be fixed after paying for the repair. See Update 2 at the end of this post for details.

March 30: I've captured a video of the entire process and uploaded it to YouTube. The unedited video (approximately 10 minutes) is here.

Adobe did something good this week, releasing a new version of its Flash Player software with automatic updating capabilities.

They also did something truly awful—using their update page to push a third-party scareware program designed to separate naïve PC users from their cash.

I’ve criticized Adobe in the past for pushing foistware—browser toolbars and free virus scanners, usually—as part of the Flash download process. But this latest episode is far worse.

First, the good news.

Bad guys love to attack innocent computer users by targeting vulnerabilities in third-party software. One of the most common vectors is Adobe Flash, which gets critical security updates at an alarming rate.

This year alone, three Flash Player security updates have been issued by Adobe: one on February 15, one on March 5, and one yesterday, March 28. If you use any of the affected platforms—Windows, Macintosh, Linux and Solaris, or Android 3.x and 2.x—you should update immediately.

Related:

A key feature of the new Flash Player update is an automatic updater, which allows Adobe to silently update Flash so that you (and your users) don’t have to think about it. Here’s what it looks like in operation:

eb-flash-auto-updater.png

The default choice installs updates automatically. If you prefer the old behavior, you can choose to get a notification and install the updates manually.

Even better news is that the updater combines the ActiveX installer for Internet Explorer with the plugin-style installer for Firefox, Opera, and other browsers. (Chrome includes Flash Player as a component, so updates are included with the browser itself.) If you use multiple browsers, the auto-updater will keep you secure.

The Adobe Secure Software Engineering Team Blog offers this explanation of how the updater works:

For our initial release, we have set the new background updater to check for updates once an hour until it gets a response from Adobe. If the response says there is no new update, then it will wait 24 hours before checking again. We accomplish this through the Windows Task Scheduler to avoid running a background service on the system. If you are running multiple browsers on your system, the background updater will update every browser.

That’s a smart, low-impact design. Nice work, Adobe.

Unfortunately, Adobe is now selling prime advertising space on the page where they deliver manual updates to Flash Player. If you do as I did and visit the Adobe Flash Player Download Center to manually install the latest Flash Player code, you might see this ad when the installation is complete. (Update: I saw this ad on two different PCs, but on other test machines I saw different ads when I went to Adobe's download site. I have no idea what the conditions are that determine when this ad is served.)

It’s FREE! It has the Adobe logo in the lower-right corner, suggesting that it has the full endorsement of Adobe. It is not marked as an advertisement. If you click the Download Now button, the program (SCUDownloader.exe) is delivered from an Adobe server (platformdl.adobe.com).

What could possibly go wrong?

Let’s make a little list.

First, the new program is powered by Adobe AIR. If your system doesn’t already have AIR installed, the downloader will take care of that task. Unfortunately, Adobe AIR is yet another source of potential vulnerabilities, and the new automatic updater for Flash doesn’t automatically update AIR. You need to do that manually. Oops.

Far worse is the misleading report that the Iolo System Checkup utility generates to try to scare you into paying for an unnecessary cleanup.

The “FREE PC Health Check” requires that you install a program called System Checkup, developed by Iolo Technologies.

I have looked closely at Iolo’s products before. I’ve never been impressed by this “free” tool or their flagship product, System Mechanic. Both products follow a similar modus operandi: scan your system, find a slew of “critical errors,” and make extravagant promises about improved performance if you pay a fee.

For the record, the company is legitimate, and there's no question that they believe their software serves a worthwhile purpose. It doesn't install any spyware or adware, and it is not malicious. But it overhypes the supposed risks that it finds and goes too far, in my opinion, in its use of fear-based sales tactics.

To see how this scan works, I fired up a well-used Windows 7 virtual machine, one I use regularly for testing software. Here’s a short description of how the Adobe-sponsored “PC health check” worked in that environment.

The scan itself takes nine stages, each of which is accompanied by vaguely technical language as it works. Test 2, for example, says “The lower your memory levels are, the slower your PC runs.”

eb-flash-iolo-scan1.png

The program also scans for "Internet speed bottlenecks” and “unneeded startup programs,” which it says “cause Windows to take what feels like forever to start.” It claims to scan for security vulnerabilities, hard-drive corruption, and “system clutter.”

But the real red flag for me is this one:

eb-flash-iolo-scan2.png

Through the years, I have made my feelings for registry cleaners known. I believe they are software snake oil, they cause more harm than good, and they should never be allowed in the hands of anyone but an expert PC diagnostician.

After System Checkup completed its scan, it delivered this report. Oh my, it found 297 problems, and “293 appear critical.”

Now, I have been troubleshooting Windows PCs for 20 years, so I am intimately familiar with the sources of potential problems. This report is filled with alarming verbiage, but it identified no actual performance-sapping problems that I could see.

  • It identified one startup item to remove.
  • It advised me that my “memory level is low” because I only have 533.27 MB available (out of 2 GB installed). Apparently it didn’t notice that another 440 MB was in use as part of the system cache and would be instantly freed if I needed it. In other words, I am only using about half the RAM on this system. The program’s recommendation: “Defragment, optimize and recover system memory.” That is, to put it politely, bullshit. As I’ve written previously (see Windows 7 memory usage: What's the best way to measure?), “Windows 7 (unlike XP and earlier Windows versions) goes by the philosophy that empty RAM is wasted RAM and tries to keep it as full as possible, without impacting performance.” There’s no such thing as “defragmenting” memory.
  • According to Iolo, my system has “13 repairable security vulnerabilities.” Oh really? What it wants to do is change 13 file associations that might be associated with executable files (.hta, .js) so that they’re opened by Notepad instead. Whoop-de-do. What the scan didn’t flag is that the installed copy of Office 2007 in this post needs to be updated to Service Pack 3, and that OpenOffice is also out of date. Those are far more serious security vulnerabilities.
  • And then there’s the registry scanner, which found 278 so-called problems.
  • Other recommendations were to remove “system clutter” and to run a utility called NetBooster that would optimize my Internet connection.

And here, of course, is the punch line. Clicking the Fix Errors Now button leads eventually to this demand for money:

You can pay $30 to fix those “critical problems” and be able to fix any future problems for an entire year. Or just pay $10 for a one-time fix.

This is pure, unadulterated scareware. It is designed to prey on unsophisticated computer users who have been told that they need to update their Flash Player and who are then subjected to this misleading advertising and technical mumbo-jumbo to scare them into paying for something they don’t need.

And, ironically, this product can cause problems all on its own. PC Magazine gave Iolo’s System Mechanic a glowing review last year, but the reviews from actual customers in the comments section told a different story. Users called it “a ripoff,” “uncontrollable and worthless,” and advised other customers to “beware.” They complained that the registry repairs and other fixes had hosed their network connections, caused problems with web browsing, broke Bluetooth drivers and printer configurations, and generally made a mess of the system.

Likewise, 247 of 711 user reviews of the free version of System Mechanic at CNET's Download.com give it one star, with two users reporting it messed up their Bluetooth settings. "Most of my applications stopped working," said another.

Indeed, that is the danger with nearly every program I’ve examined in this “system optimizer” category. In their zeal to do something, they go too far.

The fact that Adobe is foisting this software on customers who come to their site looking for a security update is disgraceful. This practice should stop, now.

Update: The behavior I note here isn't limited to Iolo. A January 2012 lawsuit filed in California accused Symantec of using "misleading ’scare’ tactics ... in its Norton Utilities, PC Tools Registry Mechanic, and PC Tools Performance Toolkit products. The claims also suggest the software range always report harmful errors, privacy risks and other issues that exist, regardless of whether they actually exist."

Update 2: As a test, I installed a brand-new copy of Windows 7 Enterprise with Service Pack 1 in a virtual machine. I installed no other updates or third-party software. I then used the default installation of Internet Explorer 8 to download the Flash Player from Adobe's official download page. After the installation was complete, I was shown the ad that appears on the first page of this post.

The Iolo "PC Health Check" report told me that it had found 252 problems and that "251 appear critical." It did not detect that many months of security updates had not been installed. The 240 "registry problems" it detected are part of a default Windows installation.

I then installed all available updates from Windows Update and repeated the test. This time the Iolo scan found 255 problems and my system status had been downgraded from Good to Fair. The report said that of those problems, "252 appear critical." It also, amusingly, said my hard drive had "signs of physical corruption."  If so, that would be a minor miracle, as this VM is running off a virtual hard drive.

Editorial standards