Whenever I go to clean up a friend/relative’s computer that they complain is too slow there’s one thing I almost always find: Numerous browser toolbars, particularly in Internet Explorer. Not all browser toolbars are bad, but the bad ones do seem to get around.
There is a long and disturbing history of malicious toolbars for browsers, especially Internet Explorer, in which toolbars are implemented as a BHO or Browser Helper Object, although not all BHOs are toolbars. A BHO or a Firefox plug-in need not be malicious in order to be a problem. Some are a problem just because a user has too many of them (click here to see an extreme example). But browser add-ons in both browsers run in the same process as the browser itself; they have access to all the data the browser has, and instability in the add-on can make the browser unstable.
The Internet Explorer association with toolbar excess is partly a mirage. Systems that get all messed up from shady browser toolbars are inevitably run by non-expert users, and such users are not usually the types to use Firefox. Perhaps if they had their default browser set to Firefox but were otherwise as credulous and unsophisticated about malicious software their Firefox would end up as badly. Firefox does support add-ins and browser toolbars and there are shady ones available (and even explicitly malicious ones, like this one).
Enter Symantec and Ask.com with a new partnership “to Make Web Searching Safer.” The deal has to do with the upcoming Norton 360 version 3, currently in beta. The Norton Toolbar in Norton 360 will include search box with “Safe Search” which uses Norton Safe Web, a rating service in beta for several months, and Ask.com search results.
I’m sure there’s nothing malicious about the Norton Toolbar, although many Norton products have for years included a lesser-featured Norton Toolbar that served no useful purpose at all and only cluttered the browser. The Norton 360 toolbars have included more information, generally about whether it considers the site safe or unsafe.
There is the separate issue of Ask.com. Some are asking why Symantec would associate with a company that has a history of seriously shady practices. Even today Ask.com is involved with sites and software that I would certainly warn people of. Consider the MyWebSearch site and toolbar. The site generates a page full of sponsored results before any organic ones and the toolbar installs to the left of the browser address bar, pushing it to the right with the obvious goal of tricking people into typing addresses into the search bar. Why would Symantec partner with such a company? It blurs the line between the problem makers and the problem solvers.
Back to the big picture of browser toolbars. For enterprises and other managed networks, this problem is no different really than any other nuisance software. Employees can’t (or certainly shouldn’t) install whatever they want and you can effectively prevent them. For home users and small business things are a little more complicated. Far too often, in order to install one thing that you want you end up installing another, or at least you are asked to and have to opt out of installing it. And there are plenty of malicious BHOs, many with toolbars. Here’s an old list and the current list is certainly much longer.
In just the last few months I’ve had to be careful not to install the Yahoo toolbar, the AOL toolbar, the Google toolbar, and lately-a shocking irony to me-the MSN toolbar during installation of Java. A user who isn’t careful can end up with all of these just for installing AIM, Flash and other popular software for which these toolbars are unnecessary. Bugs in and conflicts between these toolbars make the whole browser buggy. Unsophisticated users may not even know that they can get rid of the browsers and end up losing lots of browser real estate.
Why is there so much pressure for you to install toolbars? Because there’s money to be made if you can get people to use your toolbar and therefore your search results. The browser is where so many people spend their time these days. I’ve come to distrust all of them and keep my browsers free of them. Do the same and I bet you’ll have a more stable computing experience.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack.