Disabling Apple Software Update items
So there’s been a lot of talk over the past few days about Apple’s mechanism for deploying the Safari browser on Windows – basically the same tool that’s used to keep iTunes and Quicktime up to date. The problem is, even if you don’t have Safari installed, you’re prompted to “update” (i.e. install) it. In my opinion (and seemingly a lot of others), this is a really bad move on Apple’s part. It’s introducing a new attack vector on customer computers in an underhanded way. I was already kinda annoyed that if you install Quicktime (and the Software Update tool), you’ll be prompted to install Quicktime AND iTunes updates – again, another attack vector – but the Safari update REALLY bothers me. It’s irresponsible of Apple to try to gain market share in such an underhanded manner).
This is also going to be a problem in corporate environments, where end users have a bit of freedom. I know of numerous companies that don’t “allow” Quicktime or iTunes, but don’t have the ability to prohibit the installation (bet you’re wishing you didn’t give your user’s local Administrator privileges now huh?).
So I decided to do a little research into ASU and see if it can be locked down in any way. Well there doesn’t seem to be any ability to lock down through Group Policy, but I did find that a specific REG_MULTI_SZ value in the registry can effectively disable the Safari update. I don’t know if this applies solely to Safari 3.1, or any future versions, but it’s worth implementing anyway. Save this text to a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Apple Inc.\Apple Software Update]
“Update_Ignore_List”=hex(7):30,00,36,00,31,00,2d,00,34,00,35,00,31,00,36,00,00,\
00,00,00
This sets Update_Ignore_List as a REG_MULTI_SZ to “061-4516″. This is the update code for Safari. For companies that need Quicktime to be updated, but don’t want iTunes to be installed, you can also add “061-4270″ to the list:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Apple Inc.\Apple Software Update]
“Update_Ignore_List”=hex(7):30,00,36,00,31,00,2d,00,34,00,35,00,31,00,36,00,00,\
00,30,00,36,00,31,00,2d,00,34,00,32,00,37,00,30,00,00,00,00,00
Anyway, hope this helps someone!
Update: Heh, there’s already two discovered exploits for Safari 3.1 – more info here. Now can we please keep the comments to being non-fanboy attacks? Other companies have used techniques like this before and they’ve gotten in trouble. Apple should know better and either (a) made Safari Opt-In and/or (b) given admins a way of stopping this update from applying, in much the same way that Microsoft provided customers with a way of stopping IE7 from being installed via Windows Update MONTHS before it was made a Critical Update.
HOWEVER! I still think Apple made a bad move with forcing this down…
Just my 2 cents, Dan
“..nothing was forced upon anyone?” Were you born yesterday? Every OS and software out there puts undesirable crap on your pc without your knowledge. Then when someone asks for solutions you whine “I’m Mac and you’re Windows ooooh”
It’s not “forced” on you, no – but it IS “opt-out” rather than “opt-in”, and it’s worded in such a manner that the average user thinks it’s a “system update”. In a corporate environment, where security is paramount – this is not acceptable, and Apple is doing no favours to any corporate customer by not delivering a decent disabling mechanism
And for the record, my two home machines are both Mac’s.
imagine if MS released IE8 under a different name than “Internet Explorer” and their Office updater on the Mac popped up to update the Office software but along for the ride came this unheard of product to the user and in the process removed Safari, FF, Opera or even Camino as the default browser. think Apple, and their followers, would stand for anything less than Ballmer’s head on a platter?
DUH!!! Then JUST SAY NO!!
In my company the rules are simple: If you don’t know, ASK. If you don’t recognize the sender/domain of an email, don’t open it. If you don’t know what some update/software is or where it came from, JUST SAY NO! You can always get that update again.
But I forgot, we can’t be personally responsible for anything today, just have to find someone else to blame.
It’s all good and well for techno-literate people to come to this blog and rant on about how lazy or stupid people are but seriously, this is NOT “everyday people” area of expertise. The likelyhood is, you, work in the IT industry or acquire your knowledge through IT as a hobby. Professional staff in a company – the likes of accountants, architects, secretaries etc – are employed for their skill-set which, although probably involves a level of IT knowledge (ie, email, spreadsheet etc), does NOT require them to know what a “Safari” is and whether it should be updated (mislabelled; should be installed) or not.
It’s the responsibility of the IT department to protect the data of the company, which often includes Software deployment, machine lockdown, and patch / update management. As an IT professional, my beef is that Apple expect you to use a Software Update service (much the same as Windows Update), with absolutely no level of control as to what is deployed, apart from a Yes / No – Install or Dont. Larger companies will have the resources to cut out the ASU service, and manually push out say, Quicktime every time there’s a new release. Smaller companies don’t have the same reasources, so they are likely to use the ASU service for patch management of Quicktime and maybe other products.
Every time a new update gets released, the user just clicks Ok to install it. After a while, they get used to just clicking Ok on this update dialog box that appears, and do it without thinking. And suddenly one morning, all of your staff have a new web browser as the default, they’re bookmarks are nowhere in sight, they’re being redirected from the company Intranet page, and they’re already exposed to 2 security vulnerabilities (see blog update above).
Seriously, can you *honestly* argue with this? It DOES happen, and there’s a hierarchy of blame that can be attributed; but at the top of the chain sits Apple, who gave no way of easily disabling updates, or no advanced notification that this was coming – both of which Microsoft gives with Windows Update, WSUS (corporate Patch Management) and security bulletins given well in advance of monthly patching.
THAT is why I made the above blog post. So that there IS a way of disabling Safari from being installed. I don’t dislike Apple – I own 2 Macs, an iPhone, an iPod and an Apple TV. I think their products are amazing. Regardless, I strongly disagree with they way they’ve handled the Safari deployment and see it as a sneaky method of gaining a large share of the browser market in a short period of time, which puts the average, non-technical, computer user at risk.
Rant over.
I haven’t tested it but if they stop getting Safari updates you may make things worse in the future.
I’m hopeful though, that Apple will update the ASU service to provide better lockdown capabilities for corporate environments – preferrably before the next Safari update.
Dan
“Whatever”? That is completely ignorant, and offensive. I gave you a solid argument and rather than counter with anything constructive or challenging, you dismiss everything I’ve said – which indicates that you won’t listen to reason.
As I said, this blog post is specifically for people who need a mechanism to disable ASU. Please, don’t turn this into an MS/Apple war.
Thank you Dan, for going through the trouble to find this for all of out here in Microsoft land. You have saved me many hours of pain.
[HKEY_CURRENT_USER\Software\Apple Computer Inc.\Apple Software Update]
not:
[HKEY_CURRENT_USER\Software\Apple Inc.\Apple Software Update]
Can you confirm that your original posting is correct?
Because, like you, I’m thinking of the responsibility of us desktop managers to protect the integrity of the equipment we support, so we’re about to push this solution out to all our users. I want to be sure I have it correct.
Incidentally, it seems that the update codes DO change, as shown by the recent iTunes and Quicktime updates. To exclude Safari (up to 3.1) and iTunes (up to 7.6.2) but keep Quicktime updates, the following reghack works:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Apple Inc.\Apple Software Update]
“Update_Ignore_List”=hex(7):30,00,36,00,31,00,2d,00,34,00,35,00,31,00,36,00,00,\
00,30,00,36,00,31,00,2d,00,34,00,32,00,37,00,30,00,00,00,30,00,36,00,31,00,\
2d,00,34,00,34,00,37,00,38,00,00,00,30,00,36,00,31,00,2d,00,34,00,35,00,38,\
00,38,00,00,00,00,00
On my Vista box the reg key is [HKEY_CURRENT_USER\Software\Apple Computer Inc.\Apple Software Update] with a value of 061-3352.
Cheers
Also, I agree that this is rather sneaky. It’s like the cellphone people at the mall that always offer you a cellphone. A saying I like comes into play here. “Don’t call us, we’ll call you.” I don’t know about you guys, but I don’t like to be bugged to install software that I don’t want or need, without asking for it. And no, I’m not a Windows fanboy, because IE’s Silverlight pissed me off just as much, and there’s seemingly no way to remove that update. So in this case, Apple at least gives you an option. Microsoft, as usual, is just doing more rights restricting. That’s besides the point.
As a sysdamin, I know:
- some users aren’t capable of turning it off (freakout, what’s this thing!)
- having it appear will tick off the users who are more comfortable with computers (why aren’t you keeping up to date?)
As a sysadmin, you can’t let people install things willy nilly, and you can’t even let if happen yourself (because of other dependencies, testing, unwanted “features”). Users don’t get this, and that’s fine, because that’s the sysadmin’s problem. This also means it’s best if it doesn’t bug users in the first place. Don’t even give users a reason to get upset.
(currently researching whether Apple puts the scheduled tasks back, and if there’s a way to disable the updates, period – not just ignore the update that’s there).
I got the iTunes software as it gives me what I need. I expected it to work a certain way. There’s an implied agreement between User and Developer, “I use your program, you keep it working how I expect it to.”
I enjoyed just being able to click ‘Update!’ with confidence and it would update Quicktime and iTunes – fixing bugs, security holes, etc. without doing something I didn’t expect it to do. Then what do I find? Safari’s on my computer! Apple violated my trust that their software would work as expected.
Yes, it’s an easy problem to fix. But trust is so much than that.
To disallow Apple Software Update in Group Policy:
- Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules
- Right-click or Action > New Path Rule…
- Path: C:\Program Files\Apple Software Update
- Security Level: Disallowed
This would prevent Apple Software Update from running, regardless of whether the user installed it, or what version was installed.
Eric S.
Santa Rosa, CA
My users are allowed to install iTunes, and I need to have a way to update it without allowing Safari and especially Bonjour which I absolutely don’t want.
Simply installing quicktime will plague a computer with constant dialog boxes attempting to force itunes, safari and whatever else apple thinks they can shove down users throats with no visible way to disable it.
Done? Heck no. I found I had installed iTunes as well. For what? I hate the thing. So I un-installed that too, re-installed the Quicktime alternative and left it.
Now, I found that Apple’s Updater wanted me to re-update/install not only Quicktime, but iTunes and Safari as well. What a way to rope in new customers. Will I ever trust and buy from Aplle?
Well done!
AndyB
How about Add/Remove Programs and uninstall Apple Software Update? Or uncheck the setting when installing Quicktime!
@!@
/
Wow Life is easy,
Drew
Piss on Uncompatible APPLE
I for 1 believe that most if not all commercial browsers are nothing more than a bunch of hacking info gatherers, and defiantly “all” OS’s are like governments controlling there users instead of their users controlling the systems they create.
I long for the time when garbage in garbage out was the norm, and when you wanted to update software you did it manually…
My solution – dump iTunes. It’s crap anyway, cumbersome, and you can’t load podcasts from other than your own PC.
Winamp, baby. That’s the ticket.
The Safari debacle is just one more reason to dislike Apple.
Does the .REG file listed above disable Quicktime update? I need to stop Quicktime update for ALL users.
Since the update list changes as Apple releases each update, the above info is outdated. The current ignore for Safari in the MULTI_SZ is “061-5475″. You can disable the current version of iTunes + Quicktime by adding “061-5557″.
Dan
I am still having an issue with Quicktime prompting user to update when they access a .mov file within Internet Explorer.
Any ideas?
Paul
Then you need to copy and deploy the file:
For Vista machines:
C:\Users\\AppData\LocalLow\Apple Computer\QuickTime\QuickTime.qtp
For XP machines (I think):
C:\Documents And Settings\Local Settings\Application Data\Apple Computer\QuickTime\QuickTime.qtp
This will prevent the update check from happening on the other machines.
Dan
Anyhow they aren’t the only ones. Any time you have this or another similar problem just google a solution to disable it. Then you don’t need to worry anymore.
Really guys, does every conversation on the internet have to end up being flame wars about who’s better than what? Just answer the questions, comment on the fact that this was a very helpful page and move on already :P
BTW, for anyone that has already come here and hasn’t waded through the posts, and if you happen to start at the bottom, the easiest way to do this without any editing of the registry is to turn it off in the Scheduled Tasks in your Control Panel. Thanks for that tip guys :)
and for you idiots blathering about apple vs. windows shut up I have iMac’s, mac servers, windows servers, windows boxes, and linux servers, laptops and boxes.
and iMac’s / Macbook pro’s and their servers are over priced nice running hardware, hell it’s packed with intel just like my windows desktop – just shut up and stick to the topic as the updates for apple crap on windows are quite FUCKING annoying
I use a mac, but what is it with other mac people getting so offended when someone calls them an idiot? I mean I thought the entire mac user base was based on the fact that people don’t know how to do simple things with their computers like turning them on.