Disabling Apple Software Update items
So there’s been a lot of talk over the past few days about Apple’s mechanism for deploying the Safari browser on Windows – basically the same tool that’s used to keep iTunes and Quicktime up to date. The problem is, even if you don’t have Safari installed, you’re prompted to “update” (i.e. install) it. In my opinion (and seemingly a lot of others), this is a really bad move on Apple’s part. It’s introducing a new attack vector on customer computers in an underhanded way. I was already kinda annoyed that if you install Quicktime (and the Software Update tool), you’ll be prompted to install Quicktime AND iTunes updates – again, another attack vector – but the Safari update REALLY bothers me. It’s irresponsible of Apple to try to gain market share in such an underhanded manner).
This is also going to be a problem in corporate environments, where end users have a bit of freedom. I know of numerous companies that don’t “allow” Quicktime or iTunes, but don’t have the ability to prohibit the installation (bet you’re wishing you didn’t give your user’s local Administrator privileges now huh?).
So I decided to do a little research into ASU and see if it can be locked down in any way. Well there doesn’t seem to be any ability to lock down through Group Policy, but I did find that a specific REG_MULTI_SZ value in the registry can effectively disable the Safari update. I don’t know if this applies solely to Safari 3.1, or any future versions, but it’s worth implementing anyway. Save this text to a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Apple Inc.\Apple Software Update]
“Update_Ignore_List”=hex(7):30,00,36,00,31,00,2d,00,34,00,35,00,31,00,36,00,00,\
00,00,00
This sets Update_Ignore_List as a REG_MULTI_SZ to “061-4516″. This is the update code for Safari. For companies that need Quicktime to be updated, but don’t want iTunes to be installed, you can also add “061-4270″ to the list:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Apple Inc.\Apple Software Update]
“Update_Ignore_List”=hex(7):30,00,36,00,31,00,2d,00,34,00,35,00,31,00,36,00,00,\
00,30,00,36,00,31,00,2d,00,34,00,32,00,37,00,30,00,00,00,00,00
Anyway, hope this helps someone!
Update: Heh, there’s already two discovered exploits for Safari 3.1 – more info here. Now can we please keep the comments to being non-fanboy attacks? Other companies have used techniques like this before and they’ve gotten in trouble. Apple should know better and either (a) made Safari Opt-In and/or (b) given admins a way of stopping this update from applying, in much the same way that Microsoft provided customers with a way of stopping IE7 from being installed via Windows Update MONTHS before it was made a Critical Update.
I love it when people just find an excuse to make a big deal out of nothing. Apple is probably doing all you Windoze fools a favor by giving you something to hopefully snap you out of that trans you’re in. Besides, nothing was FORCED upon anyone. If you bloody morons READ before accepting anything, you wouldn’t have a problem. But then again, Windoze users are Windoze users for a reason
Man, you sound like a guy with anger issues. No need for name-calling and insults-everyone is entitled to their own opinion. Plus, if Macs were so great everyone would have one, instead of vise-versa!
Actually, I have to disagree here a bit. Macs are gaining massive market share – my primary home machine is a Mac, and I love it.
HOWEVER! I still think Apple made a bad move with forcing this down…
Just my 2 cents, Dan
Jarod: What kind of idiot are you? Nobody cares whether you use mac or windows except dung-suckers like you.
“..nothing was forced upon anyone?” Were you born yesterday? Every OS and software out there puts undesirable crap on your pc without your knowledge. Then when someone asks for solutions you whine “I’m Mac and you’re Windows ooooh”
Such a clever comment, really. Another fanboy rant.
It’s not “forced” on you, no – but it IS “opt-out” rather than “opt-in”, and it’s worded in such a manner that the average user thinks it’s a “system update”. In a corporate environment, where security is paramount – this is not acceptable, and Apple is doing no favours to any corporate customer by not delivering a decent disabling mechanism
And for the record, my two home machines are both Mac’s.
i absolutely love how every time Apple does something that is by all accounts an evil doing as judged by Windows as well as *nix users worldwide (and in some cases the BBB or a courtroom) their fanboy drones come to the defense of poor old Steve whom is just such a man to be revered for his efforts in snubbing philanthropy and child support dodging.
Its not being a fanboy; but if you’ve noticed, everything and everyone is becoming so damned paranoid and insecure and expectation have become absurdly ridiculous. Yes, people are supposed to READ. In corporate environments, and by that I mean, REAL corporate environments, GOOD admins have all user stations LOCKED DOWN so that no user can install anything. Granted, thats not typical of lots of companies, but its no excuse for human laziness and blaming on ‘Oh I didnt read it’. So what if its OPT OUT. Does the extra click warrant such a DRAMATIC reaction. Are people soooo lazy, that ONE click is such a biig deal. Common people! Forget that its Apple for a second. This is certainly not the first time something like this happened. But all eyes are on Apple, and hence, automatically, its a big deal. I just think the internet and technology is simply creating a generation of lame, full of excuses, lazy bums.
Jarod –> i fully respect the fact that this is a simple matter of unchecking a checkbox at the user level but from all the arguments i have read pushing this solution and faulting the users for being “lame, full of excuses, lazy bums” none of them take into account that perhaps many of those users haven’t a clue what Safari is. i’m willing to bet that most of Quicktime’s user base on the Windows side of the fence have never heard the word without it encompassing a trip to Africa. now when you are like me and have both family and friends spread around the world with PCs/Laptops that you cannot lock down unless you could afford to quit your job to administer them remotely at the drop of a dime Apple just put a thorn in your cereal because go figure this caught some off guard as they did not know what Safari was and it was an labeled as “update”. remember the window clearly reads “select the items you want to update”. to the common user this reads out that it is already there and something they should update because that wording implies it is already installed.
imagine if MS released IE8 under a different name than “Internet Explorer” and their Office updater on the Mac popped up to update the Office software but along for the ride came this unheard of product to the user and in the process removed Safari, FF, Opera or even Camino as the default browser. think Apple, and their followers, would stand for anything less than Ballmer’s head on a platter?
Who cares about your stupid corporate lockdown BS. I’m sick of going to my little ol’ grandma’s and mother’s houses and having to uninstall all the crap that gets put on their computers because they have to “opt-out” instead of opt in. I save your idiotic anti-microsoft excuses, they all use Firefox. Apple is no different from Microsoft, shoving it’s products down people’s throats. Just give us a way to stop them.
Nevermind, I just removed the Apple Update run from my scheduled tasks and that seems to have taken care of it.
Robert–> ” that perhaps many of those users haven’t a clue what Safari is.”
DUH!!! Then JUST SAY NO!!
In my company the rules are simple: If you don’t know, ASK. If you don’t recognize the sender/domain of an email, don’t open it. If you don’t know what some update/software is or where it came from, JUST SAY NO! You can always get that update again.
But I forgot, we can’t be personally responsible for anything today, just have to find someone else to blame.
It really seems to be as if some people have missed the whole point of this post. It’s all good and well saying “Duh! Say No!”, “Good admins have their workstations locked down” and “People shouldn’t be so lazy and read what’s on the screen”. The fact of the matter is, they DON’T say no, circumstances can dictate that a machine CAN’T be locked down, and some people ARE lazy.
It’s all good and well for techno-literate people to come to this blog and rant on about how lazy or stupid people are but seriously, this is NOT “everyday people” area of expertise. The likelyhood is, you, work in the IT industry or acquire your knowledge through IT as a hobby. Professional staff in a company – the likes of accountants, architects, secretaries etc – are employed for their skill-set which, although probably involves a level of IT knowledge (ie, email, spreadsheet etc), does NOT require them to know what a “Safari” is and whether it should be updated (mislabelled; should be installed) or not.
It’s the responsibility of the IT department to protect the data of the company, which often includes Software deployment, machine lockdown, and patch / update management. As an IT professional, my beef is that Apple expect you to use a Software Update service (much the same as Windows Update), with absolutely no level of control as to what is deployed, apart from a Yes / No – Install or Dont. Larger companies will have the resources to cut out the ASU service, and manually push out say, Quicktime every time there’s a new release. Smaller companies don’t have the same reasources, so they are likely to use the ASU service for patch management of Quicktime and maybe other products.
Every time a new update gets released, the user just clicks Ok to install it. After a while, they get used to just clicking Ok on this update dialog box that appears, and do it without thinking. And suddenly one morning, all of your staff have a new web browser as the default, they’re bookmarks are nowhere in sight, they’re being redirected from the company Intranet page, and they’re already exposed to 2 security vulnerabilities (see blog update above).
Seriously, can you *honestly* argue with this? It DOES happen, and there’s a hierarchy of blame that can be attributed; but at the top of the chain sits Apple, who gave no way of easily disabling updates, or no advanced notification that this was coming – both of which Microsoft gives with Windows Update, WSUS (corporate Patch Management) and security bulletins given well in advance of monthly patching.
THAT is why I made the above blog post. So that there IS a way of disabling Safari from being installed. I don’t dislike Apple – I own 2 Macs, an iPhone, an iPod and an Apple TV. I think their products are amazing. Regardless, I strongly disagree with they way they’ve handled the Safari deployment and see it as a sneaky method of gaining a large share of the browser market in a short period of time, which puts the average, non-technical, computer user at risk.
Rant over.
What happens if the user has already installed Safari via the update and you then apply these registry changes?
I haven’t tested it but if they stop getting Safari updates you may make things worse in the future.
Actually, I suspect this update applies *solely* to Safari 3.1 and not any future updates. If you manage to deploy it prior to ASU doing it’s update check, you shouldn’t be prompted to install Safari. If you have Safari installed, the update code should change for future security updates or new versions and so it should prompt to install them as they are released.
I’m hopeful though, that Apple will update the ASU service to provide better lockdown capabilities for corporate environments – preferrably before the next Safari update.
Dan
Whatever. In this day and age it is people responsibility to take account of their actions. You do it when you drive, you do it when you’re out in the real world. You should also be doing it online. Microsoft has imposed and forced 10 years worth of shit onto users. So much, that it’s being ripped apart by the ‘TRUE’ justice system in Europe, unlike that Mickey Mouse club we have here in the US. I don’t feel that Apple did anything wrong. Lots of people liken this to installing malware, but the Safari browser is anything but Malware. Users unintentionally install a billion harmful things on their PCs simply by using IE. Now THATS something to be pissed about. This whole Safari thing is a JOKE.
I wouldn’t consider Safari to be malware, but I would say that the mechanism in which it’s being deployed is sneaky at best, and a genuine problem for administrators and security experts everywhere.
“Whatever”? That is completely ignorant, and offensive. I gave you a solid argument and rather than counter with anything constructive or challenging, you dismiss everything I’ve said – which indicates that you won’t listen to reason.
As I said, this blog post is specifically for people who need a mechanism to disable ASU. Please, don’t turn this into an MS/Apple war.
I think you are missing the point here. In a domain environment, admins need to have control over the systems we are required to manage. Quicktime is software that is necessary and is acceptable. But Safari is not, if we wanted it on our machines we would download it and install it for our users. I.E. offers many benefits through group policy that you just do not get with Safari. I can’t set a universal home page for every machine in my domain or manage security settings through group policy with Safari. Apple is wrong to push this down the users throat and then expect admins to waste their time uninstalling it from hundreds of machines. I’ve got better things to do with my time.
Thank you Dan, for going through the trouble to find this for all of out here in Microsoft land. You have saved me many hours of pain.
Dan: When I look at a PC with the most recent Apple Software Update installed, in the registry the key I find is:
[HKEY_CURRENT_USER\Software\Apple Computer Inc.\Apple Software Update]
not:
[HKEY_CURRENT_USER\Software\Apple Inc.\Apple Software Update]
Can you confirm that your original posting is correct?
Because, like you, I’m thinking of the responsibility of us desktop managers to protect the integrity of the equipment we support, so we’re about to push this solution out to all our users. I want to be sure I have it correct.
I’ve checked on multiple machines and mine are always “Apple Inc.”. Might be prudent to set up two reg files and check which ASU key exists before applying.
Incidentally, it seems that the update codes DO change, as shown by the recent iTunes and Quicktime updates. To exclude Safari (up to 3.1) and iTunes (up to 7.6.2) but keep Quicktime updates, the following reghack works:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Apple Inc.\Apple Software Update]
“Update_Ignore_List”=hex(7):30,00,36,00,31,00,2d,00,34,00,35,00,31,00,36,00,00,\
00,30,00,36,00,31,00,2d,00,34,00,32,00,37,00,30,00,00,00,30,00,36,00,31,00,\
2d,00,34,00,34,00,37,00,38,00,00,00,30,00,36,00,31,00,2d,00,34,00,35,00,38,\
00,38,00,00,00,00,00
I am in the process of using a GPO logon script to deploy the registry key and I noticed that using the “061-4516″ didn’t ignore Safari on my Win XPSP2 box. So I ran ignore from the Apple updater and it added a 061-4588 instead. This leads me to believe that this value isn’t fixed even for Safari 3.1.
On my Vista box the reg key is [HKEY_CURRENT_USER\Software\Apple Computer Inc.\Apple Software Update] with a value of 061-3352.
Cheers
How odd. I have both 061-4516 and 061-4588 on the list about but not 061-3352 and it’s ignoring Safari for me fine. I guess there’s really no good way of blocking Safari effectively.
You guys DO realize, at least on the Windows version of the Apple Software Update that under the tools menu, there is an option to ignore updates? Why not use that? I couldn’t even get the registry hack to work; I had Apple’s program do it for me.
Also, I agree that this is rather sneaky. It’s like the cellphone people at the mall that always offer you a cellphone. A saying I like comes into play here. “Don’t call us, we’ll call you.” I don’t know about you guys, but I don’t like to be bugged to install software that I don’t want or need, without asking for it. And no, I’m not a Windows fanboy, because IE’s Silverlight pissed me off just as much, and there’s seemingly no way to remove that update. So in this case, Apple at least gives you an option. Microsoft, as usual, is just doing more rights restricting. That’s besides the point.
The thing that bothers me about this whole thing..
I got the iTunes software as it gives me what I need. I expected it to work a certain way. There’s an implied agreement between User and Developer, “I use your program, you keep it working how I expect it to.”
I enjoyed just being able to click ‘Update!’ with confidence and it would update Quicktime and iTunes – fixing bugs, security holes, etc. without doing something I didn’t expect it to do. Then what do I find? Safari’s on my computer! Apple violated my trust that their software would work as expected.
Yes, it’s an easy problem to fix. But trust is so much than that.
In a Windows Active Directory network, I’m inclined to use a Software Restriction Policy path rule to disallow Apple Software Update, and then roll out any updates through a Group Policy Object’s Software Installation policy instead, choosing the “Uninstall the applications when they fall out of the scope of management” option to automatically remove old versions.
To disallow Apple Software Update in Group Policy:
- Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules
- Right-click or Action > New Path Rule…
- Path: C:\Program Files\Apple Software Update
- Security Level: Disallowed
This would prevent Apple Software Update from running, regardless of whether the user installed it, or what version was installed.
Eric S.
Santa Rosa, CA
Does anyone know if this will prevent iTunes from starting an update? There’s a checkbox in Edit|preferences to “Check for Updates Automatically”. Will disallowing the updater in policy prevent it from running via this checkbox? Or is there a registry key that is set by this checkbox (I haven’t been able to track one down), because then I could also turn this off in group policy.
My users are allowed to install iTunes, and I need to have a way to update it without allowing Safari and especially Bonjour which I absolutely don’t want.
My problem with this whole thing is that I’m prompted to “update” Safari every time a new update is released. So maybe once a week a window pops up, minimizing whatever I was doing, saying “oH noez you dun has safari on your comp lol instal it k” and I have to uncheck the damn box and quit out of the window and it really really pisses me off that there’s no option to disable the update prompts.
I personally hate apples software update with a passion.
Simply installing quicktime will plague a computer with constant dialog boxes attempting to force itunes, safari and whatever else apple thinks they can shove down users throats with no visible way to disable it.
Just like others here, I had to install Quicktime for some reason. After I finished, I un-installed it.
Done? Heck no. I found I had installed iTunes as well. For what? I hate the thing. So I un-installed that too, re-installed the Quicktime alternative and left it.
Now, I found that Apple’s Updater wanted me to re-update/install not only Quicktime, but iTunes and Safari as well. What a way to rope in new customers. Will I ever trust and buy from Aplle?
Well done!
AndyB
Wow what a discussion.
How about Add/Remove Programs and uninstall Apple Software Update? Or uncheck the setting when installing Quicktime!
@!@
/
Wow Life is easy,
Drew
Piss on Uncompatible APPLE
Ding Dong, the wicked witch is dead…
I for 1 believe that most if not all commercial browsers are nothing more than a bunch of hacking info gatherers, and defiantly “all” OS’s are like governments controlling there users instead of their users controlling the systems they create.
I long for the time when garbage in garbage out was the norm, and when you wanted to update software you did it manually…
Wow. What was waste of time for sooooooooooooo many of you.
My solution – dump iTunes. It’s crap anyway, cumbersome, and you can’t load podcasts from other than your own PC.
Winamp, baby. That’s the ticket.
The Safari debacle is just one more reason to dislike Apple.
Dan,
Does the .REG file listed above disable Quicktime update? I need to stop Quicktime update for ALL users.
Paul,
Since the update list changes as Apple releases each update, the above info is outdated. The current ignore for Safari in the MULTI_SZ is “061-5475″. You can disable the current version of iTunes + Quicktime by adding “061-5557″.
Dan
Dan,
I am still having an issue with Quicktime prompting user to update when they access a .mov file within Internet Explorer.
Any ideas?
Paul
That’s not Apple Software Update, that’s the built-in mechanism within Quicktime. You need to open up Quicktime, then Preferences. Under Update, untick “Automatically check for new version” and click Apply.
Then you need to copy and deploy the file:
For Vista machines:
C:\Users\\AppData\LocalLow\Apple Computer\QuickTime\QuickTime.qtp
For XP machines (I think):
C:\Documents And Settings\Local Settings\Application Data\Apple Computer\QuickTime\QuickTime.qtp
This will prevent the update check from happening on the other machines.
Dan
Not forced on you? Give me a break, that’s so irrelevant. I’ve never seen a virus or adware do it any worse than what Apple’s doing. If you don’t accept the “update” pops up frequently until you do.
Anyhow they aren’t the only ones. Any time you have this or another similar problem just google a solution to disable it. Then you don’t need to worry anymore.