Sunbelt Software: Spyware, Adware, & Mozilla Firefox
The Boring Reality of Spyware & Adware
Despite the widespread attention that exploit-based installs of spyware and adware have received, the reality of spyware and adware is much more boring and depressing. The sad truth is that much if not most spyware and adware is installed on PCs after users "consent" to those installations, usually without fully understanding the nature of the software.
Internet Explorer has been justly criticized for facilitating such installations, because the ActiveX "Security Warning" box that pops up when web sites attempt to install software is enormously confusing to users (https://netfiles.uiuc.edu/ehowes/www/dbd-anatomy.htm). That "Security Warning" box names the software program and the company responsible for it, though even this information can be downright deceptive, as noted researcher Ben Edelman recently pointed out (http://www.benedelman.org/news/020305-1.html). The box also supplies a link to the software's End User License Agreement (EULA). As we all know, however, those EULAs often consist of long, dense blocks of legalese that only practicing attorneys can make sense of. Beyond this poor information, the box offers precious little guidance to users.
Many users mistake such software for browser plugins required to view content on the web sites they're visiting. Still others don't recognize that they can click the link to read the EULA. Even worse, because these "Security Warning" boxes frequently pop up at third-party web sites while users are concentrating on the content of the sites themselves, many users don't pay close enough attention to what little information that is provided about the software. And so they click through those "Security Warning" boxes willy nilly, effectively giving their consent to software they don't fully understand, want, or need. Only after that unwanted software begins blanketing their desktops with pop-ups do they finally realize something is amiss.
To its credit, Microsoft has taken several important steps to address the problems with those confusing "Security Warning" boxes. When users with Windows XP Service Pack 2, for example, land on web sites that attempt to install software on their computers, those users receive a discrete notice in the new "Information Bar" along the top of the Internet Explorer browser window. Service Pack 2 for Windows XP also adds a pop-up blocker to Internet Explorer, reducing the chances that users could be badgered by web sites into clicking through boxes for unwanted software. Microsoft bundled still other security improvements into Windows XP Service Pack 2, and the net effect is to make Internet Explorer much more "resistant" to spyware and adware.
Software Installation in Firefox
Like Internet Explorer, Mozilla Firefox also allows users to install software online, and there-in lies the risk. While security researchers have been looking for security holes in Firefox that could be exploited by spyware and adware (as will surely happen at some point), we ought to recognize that Firefox already has a spyware and adware problem. That problem arises because the information that Firefox gives users about software installed by web sites is just as poor as the information in that old Internet Explorer "Security Warning" box. When confused users aren't given enough information to assess the danger of software installed by web sites, they could very