Поделиться через


Google Toolbar Beta for Enterprise a "Trojan horse" MSI package.

Wow, I started this morning off really excited. I saw the announcement that Google has a toolbar for the enterprise and it supposedly came with a Windows Installer package. So, I skimmed through the feature list and saw the statement:

Simple and safe to deploy

Google Toolbar Beta for Enterprise includes a Microsoft Windows Installer package that makes organization-wide distribution a snap.

Cool. So, I downloaded the .zip file and popped open the GoogleToolbarInstaller.msi and what should I find? Yep, you guessed it. The GoogleToolbarInstaller.msi file was created by the WiX toolset. Woohoo! How cool is that? Google uses the WiX toolset.

After calming down, I decided to look around and see how well the MSI was actually put together. Then my excitement dropped. The GoogleToolbarInstaller MSI package is a total fake. Their MSI file is nothing more than a wrapper around the old GoogleToolbarInstaller.exe. The Google Toolbar Beta for Enterprise does not use the Windows Installer to actually install the files (I'm not sure what install technology they are using). That means the Google Toolbar Beta for Enterprise does not get all of the transaction guarantees and other administrative/repair features that a true Windows Installer package would provide.

If you are an administrator looking to deploy this package, don't be surprised when you find that this MSI package doesn't behave exactly like real Windows Installer packages. The Google Toolbar Beta for Enterprise MSI package is really just a "Trojan horse" carrying their custom installation system. I really wish Google had used the Windows Installer technology more appropriately.

Comments

  • Anonymous
    February 01, 2006
    企業向け Google Toolbar のMSIパッケージは、トロイの木馬!? - WiX/Windows Installer
  • Anonymous
    February 01, 2006
    The comment has been removed
  • Anonymous
    February 01, 2006
    The comment has been removed
  • Anonymous
    February 01, 2006
    The comment has been removed
  • Anonymous
    February 01, 2006
    I have successfully repackaged the Google Toolbar installer for deployment. It's a pretty simple install. A lot of vendors take the easy way out with their installers. Sun's Java Runtime Environment is another example of this faux pas.
  • Anonymous
    February 02, 2006
    How to detect the MSI package was created with WiX?
  • Anonymous
    February 02, 2006
    They've done the same thing with the Google Desktop Search for the Enterprise.We looked at this about 6 months ago and also noticed that it was just a wrapper MSI. Of course the fun here is that it dumps a shortcut on the Desktop. Very un-corporate and something that most entprise environment's frown on.There was no easily documentated method of stopping this behaviour without seemingly needed to create an MSI install for yourself. With this in mind we binned deploying it in our environment.In their favour it's one of the rare applications I've seen that works nicely with GPO and comes with it's own ADM's.
  • Anonymous
    February 02, 2006
    Well... there is a learning curve involved with using MSI (properly). Quite a few people still see installation as glorified xcopy and have trouble understanding the MSI way.Most likely they did this as a way to distribute something that they already knew worked and at the same time get their feet wet with MSI.I think you will see a proper Windows installer package with the next iteration of the product.
  • Anonymous
    February 02, 2006
    The comment has been removed
  • Anonymous
    February 02, 2006
    Sorry for the back to back posts but I want to drive my point home a little more. InstallShield has done the exact same thing also. Take a look at the MDAC 27 ENU merge module that InstallShield distributes. All it does is sequence a custom action that shells out to a legacy installer to install the MDAC redistributables.And you want to know where they got that idea from? MICROSOFT!Read this one in case you've never seen it:http://support.microsoft.com/?kbid=320788In the above link there is a download of a white paper that ( SUPRISE ) teaches how to create a merge module with a custom action to call out to the MDAC setup.
  • Anonymous
    February 03, 2006
    Christopher is absolutely right. I was amazed at Microsoft's MDAC merge module solution when I first encountered it. I still find it very weird that Microsoft doesn't provide nice merge modules for MDAC (and some other technologies). And the merge modules that they do provide often contain errors, that cause my installers to fail ICE validation.

    BTW Rob, how did you know it was created using WiX? Did they use the GUI library? Or did they use a WiX custom action?
  • Anonymous
    February 06, 2006
    I haven't looked at the inner workings of the structured storage, but if you look at the MSI with a hex editor or even notepad/strings command you can see it branded:

    Windows Installer XML v2.0.3309.0 (candle/light)
  • Anonymous
    February 06, 2006
    I just looked at the WiX source.  Take a look at the UpdateSummaryInfor() in binder.cs.  It's being stored in Property 18 ( PID_APPNAME for those of us who like to use constants ).  

    BTW, too bad ORCA doesn't display this property... :)
  • Anonymous
    February 06, 2006
    Leon, Christopher Painter is correct.  The Application Summary Property in the Summary Information stream is updated by the WiX toolset as per the MSI SDK:

    Creating Application Summary Property

    The Creating Application Summary property conveys which application created the installer database. In general the value for this summary property is the name of the software used to author this database.
  • Anonymous
    February 07, 2006
    Ah, thanks for your explanation.
  • Anonymous
    February 08, 2006
    I didn't mean to put Rob on the spot with my comments.  But I was hoping to get his opinion on the points that I raised.
  • Anonymous
    February 08, 2006
    Oh, Christopher, I wasn't trying to avoid commenting.  You're comments are actually a great segue into my next couple big posts.  Also, remember I'm trying to answer more comments and blogs with my own blog posts: http://blogs.msdn.com/robmen/archive/2006/01/07/510425.aspx.  I haven't forgotten, I'm just lazy.  <wink/>
  • Anonymous
    February 10, 2006
    I've read that thread, and I took it to mean instead of making comments on other peoples blogs make posts on your own.  I didn't take it to mean don't make comments on your own posts on your own blog.    To me comments on a blog helps keep topics together.

    I personally don't mind making comments on other proples blogs, it shows respect for that person.  It says I was here and I deemed the post good enough to contribute.

    For me to only make comments by making posts on my own blog seems like a selfish way of saying I'm too important  to make a comment on Robmen's blog and I'd rather draw everyone to my blog instead.

    I don't make posts on my blog to satisfy some sense of self-grandure.  I do it to share my thoughts in the hope that it will help someone else with their problems.
  • Anonymous
    February 10, 2006
    The comment has been removed
  • Anonymous
    February 10, 2006
    The comment has been removed