Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Why do people write applets?

Why do people write applets?

  • Comments 39

Since I spend so much time railing about applets, I also tend to look at applets to see what they do (after all, the first step in knowing how to defeat the enemy is to understand the enemy).

In general, applets seem to fall into several rough categories:

  • Updaters
  • Notification Area Handlers
  • Helper applications
  • Services (I did say that I lump services into the same category as applets).

Let me take them in turn...

Updaters:  I LIKE updaters.  Updaters are awesome.  IMHO, I trust applications that include updates more than those that don't (because an updater implies a commitment to further development and bug fixes).  However way too many vendors build programs that run all the time and do absolutely nothing other than wait to check for updates every week (or every month).  One other problem with updaters is that sometimes the authors of the updater use the updater to push unrelated software (at the moment, I'm particularly annoyed at the iTunes updater - if you install just Quicktime, the updater tries to get you to install Quicktime+iTunes, and there seems to be no way of shutting it up).

Notification Area Handlers:  Every application seems to want to put its own icon in the notification area.  To me, the functionality that is offered by many of these is of limited value. For example, my display driver includes an applet that allows the user to quickly switch between screen resolutions, but I almost never change my screen resolution - so why provide a easy shortcut for that functionality?  I'm not sure why, but personally I believe it's because of branding (since you get to put an icon with your notification area handler, it makes it obvious to the user that you've installed the software).  Some pieces of notification area functionality are quite useful (the "big 4" (Sound, Network, Battery, Clock) in Windows are good examples, as are things like RSSBandits' status indicator), but many of them make me wonder (which is why I suspect that branding is the real reason behind many of the notification area icons).

Helper applications: These are things like "FlashUtil9d.exe" (running on my machine right now) and other support processes.  Users often don't see these (since they don't bring up UI), but they live there nonetheless.  I have an HP 7400 printer at home, and the printer driver for that runs 2 separate processes for each user (one of which hangs during shutdown every time a user logs off).

Services: A special class of helper application, services have some significant advantages over helper applications (and some drawbacks).  Services can be centrally managed, and expose a common startup/shutdown interface.  They also can be automatically started at system boot, have strict dependencies, and can run in arbitrary user contexts (including elevated contexts).  On the other hand, it's difficult (and in many ways effectively impossible) to have services run in the context of the currently logged on user.  I'm a huge fan of services, but it's possible to totally overdo it.  In Windows Vista, there were a slew of new services introduced, and more and more applications are creating services, since the currently logged in user is no longer an administrator.  An example of a helper service is the WHSConnector service that comes with Windows Home Server (another of my current favorite products), and there are a bazillion others.

 

I'm sure that there are other categories of applets, but these 4 appear to be the biggies.

 

Tomorrow: So why are applets bad?

  • I like how Windows Vista moves the "big four" notification icons into a different area and treats them differently.

  • I don't like update craplets. Even if I do install an app, I do it for a particular purpose, and I certainly don't want to think about it beyond that purpose (unless the applet is a hobby).

    Example: Adobe Reader is something I install in order to view PDFs. That's it. I don't care about the bajillion new features they put in version 8.1, I certainly don't want to be reminded in $(a random period of time), I want it to open PDFs and shut up otherwise.

    I've sometimes had to resort to violence on this. For example, some version of the DivX codec had a tray app that would pop up every time you played a DivX movie, and offer a menu for of options, none of which I was remotely interested in. I had to rename the app's exe to stop that.

  • Jonathan, do you care when your machine gets 0wned because of a security vulnerability in Adobe Reader?  There have been at least 3 critical security holes found in Reader over the past couple of years, the updater gives Adobe's customers the ability to update those vulnerable customers.

    It's hideously unfortunate that Adobe and others use their updaters to upsell unrelated products - it's violates one of the tenets of trustworthy computing (you don't treat security fixes as upsell opportunities).  Apple is notorious for this because of their patch policy (they only apply patches for the current revision of the OS, customers that have older OSs need to upgrade to get the security fix, even if the older OS is vulnerable).

  • That's a risk I'm willing to take. As a mitigation, I always turn off Adobe Reader's IE intergration. I also do it since it renders 3 times slower than the standlalone reader (one of my computers is kinda old).

  • Yeah, I've disabled PDF plugin support as well. Autoupdaters like Adobe's are just too obnoxious with trying to sell me Photoshop and other crap. I'd rather just manually update when I see word of the vulnerability, since I don't deal with random Internet PDFs.

    Besides, a little informational hygiene can go a long way on a firewalled desktop. (Laptops, of course, need to be running every defense known to man.) Whitelisting Flash and JavaScript reduces the attack surface significantly for these types of exploits.

  • I too hate updater applets, because they spend 99% of their time doing nothing useful and sucking up resources. Security remediation is important, but having each application install its own updater applet is not a scalable solution.

    Perhaps it's time for a MS provided updater service than ISVs can plug into for scheduled updating. Why does each ISV need to write this functionality?

    Worst case, I'd rather see apps using a Windows Scheduler job to schedule periodic update checks. Or checking at run-time. Anything instead of a continuously running applet.  

  • I have to say I'm rather sympathetic to Jonathon's point of view. There simply has to be a better way. In an age of ubiquitous internet access, you can justify installing a dedicated updater for pretty much any application beyond the simple Windows applets (e.g., Notepad).

    I think a better solution is for the application to check on startup--like Paint.NET does. Or maybe Microsoft could make it easier for third-parties to use their Update service. (I thought WER had a way of distributing fixing, but only in response to crashes and hangs.)

    Coincidently, the IE blog published a short article on good practices for updating ActiveX controls. In my experience, most ActiveX controls are the "craplets of the web", so there may be some parallels (particularly to the first point they discuss):

    http://blogs.msdn.com/ie/archive/2007/08/13/good-practices-for-activex-updates.aspx

  • I also hate the Apple Updater's tendency to inflict iTunes on me, but here's what I really liked about it: it used Scheduled Tasks to perform its checks for updates. That's massively superior to running a background process of its own at all times. It's just a shame it updates the wrong product, really.

    What I'd really like though (and this is getting off-topic) is a website listing updates, with a nice ATOM feed to which I could subscribe. That'd help me for apps that don't have updaters or which have updaters that I don't trust. Some applications actually ship security fixes as unsigned blobs over http!

  • Jim, you're right, that's one of the things I'm planning on pointing out in post #4 (mitigations).

  • I believe many of the "helper applications" exist merely to pre-load DLLs on log-in, in the hopes that the application which uses those DLLs will load faster when the user starts it.

    Aside from being pushy marketing tools, updaters give developers too much reassurance that they can ship now and patch it later.  I also don't like the state of my machine to be in constant flux.  Security holes are important, but so is stability.   Nothing like a bug in a non-essential update to consumer your entire morning.

    Updaters are also beacons, telling vendors more about our systems and habits than they need to know.

    Sometimes our IT remote management tools badger me to install updates to applications I've uninstalled!

    BTW, Foxit Software makes a nice alternative to Adobe Reader.

  • As someone who has created a program that allows people to remove the unwanted startups I love your topic this week.

    I'm not a big fan of auto-updates although I like your thinking about the publishers commitment. I've had a number of apps and new machines come with a single updater from InstallShield. I don't use InstallShield myself anymore but having a single program for multiple apps makes sense. Unfortunately, I keep seeing to many things break after an update is installed.

    The biggest complaint I hear is about applications like QuickTime that stick themselves back into the Startup list anytime they just run.  Apple also annoyed a number of people by installing their "Apple Mobile Device Service" with the last iTunes update. This was released the same week as the iPhone and unless you have an iPhone it's useless.

    Bill

  • Adrian, I'm not so sure about that - for instance I believe that the flash plugin I mentioned runs to bypass some of the IE low rights restrictions (I'm not sure about that though).  

  • Larry,

    I recall some kind of feature during the longhorn alphas (sorry

    to bring it up...) of some kind of unified updating framework where apps would register with windows and windows would auto-magically sort it all out. Windows would run them in a sand box and spread their activity out during the startup process, rather having every app hammer your internet connection at logon. Installing updates at shutdown etc.

    I still think it's a good idea, and if i did just invent it, i still think its a good idea!

    Steve

  • I'm not aware of Adobe Acrobat reader trying to 'sell' me other products - certainly not photoshop! -  I've never had that happen to me.

    the only issue I've had with the product is that for many years when you viewed a PDF in the web browser, it would do a check for a newer update.  And often time-out.  The result being that this would be the #1 reason here why IE would seem to be frozen.  You could see in Task Manager that it was acroread.exe that was frozen.  I've debugged this problem for people at home and at work!  The work-around was to start acrobat reader on its own so that it did its update check -- and present you with the user interface with potentially an error message box!

    That problem seems to have a vanished a couple of years ago, however.

  • ulric, I don't think that Acrobat Reader does that.  I know that QT does.

Page 1 of 3 (39 items) 123