Google Toolbar Beta for Enterprise a "Trojan horse" MSI package.


Wow, I started this morning off really excited. I saw the announcement that Google has a toolbar for the enterprise and it supposedly came with a Windows Installer package. So, I skimmed through the feature list and saw the statement:

Simple and safe to deploy

Google Toolbar Beta for Enterprise includes a Microsoft Windows Installer package that makes organization-wide distribution a snap.

Cool. So, I downloaded the .zip file and popped open the GoogleToolbarInstaller.msi and what should I find? Yep, you guessed it. The GoogleToolbarInstaller.msi file was created by the WiX toolset. Woohoo! How cool is that? Google uses the WiX toolset.

After calming down, I decided to look around and see how well the MSI was actually put together. Then my excitement dropped. The GoogleToolbarInstaller MSI package is a total fake. Their MSI file is nothing more than a wrapper around the old GoogleToolbarInstaller.exe. The Google Toolbar Beta for Enterprise does not use the Windows Installer to actually install the files (I’m not sure what install technology they are using). That means the Google Toolbar Beta for Enterprise does not get all of the transaction guarantees and other administrative/repair features that a true Windows Installer package would provide.

If you are an administrator looking to deploy this package, don’t be surprised when you find that this MSI package doesn’t behave exactly like real Windows Installer packages. The Google Toolbar Beta for Enterprise MSI package is really just a "Trojan horse" carrying their custom installation system. I really wish Google had used the Windows Installer technology more appropriately.

Comments (20)

  1. 企業向け Google Toolbar のMSIパッケージは、トロイの木馬!? – WiX/Windows Installer

  2. Caleb says:

    The title of this blogpost is a bit misleading (how ironic?).

    Mozilla was making a few MSIs during a period of time, and those were also just wrappers around their “silent” installation program. Sometimes it just too much time to create anoter installer, and then to beta test it.

    Note that Mozilla has stopped using those MSIs because they sucked. Probably sometime in the future they’ll have real ones 😉

  3. Caleb, the title maybe be a bit sensationalist (okay, maybe a bit more than a little <grin/>) but it says exactly what I meant it to say. The MSI package for the Google Toolbar Beta for Enterprise is a wrapper to make the custom installation executable (whatever it may do) appealing to administrators to deploy. The Greeks did the same thing. They wrapped themselves in a wooden horse to be more palatable to the Romans.

    When I put "Trojan horse" in quotes, I was trying to indicate I meant the more literary meaning of the term Trojan horse not the popular computer security meaning. Maybe I should have called out my meaning explicitly in the blog entry. I guess the comment here will have to suffice.

    By the way, I’ve never installed Firefox (just haven’t made time to do so) but I would have said the same thing about their MSI package if I ever looked at it. I also appreciate the time and effort that goes into creating installers (I’ve spent a bit of time creating them myself <smile/>), but my understanding is that the Google Toolbar Beta for Enterprise only needs one installer for one platform. They could have made it a proper MSI package.

  4. AJ says:

    I have successfully repackaged the Google Toolbar installer for deployment. It’s a pretty simple install. A lot of vendors take the easy way out with their installers. Sun’s Java Runtime Environment is another example of this faux pas.

  5. twaltari says:

    How to detect the MSI package was created with WiX?

  6. Adam Bell says:

    They’ve done the same thing with the Google Desktop Search for the Enterprise.

    We looked at this about 6 months ago and also noticed that it was just a wrapper MSI. Of course the fun here is that it dumps a shortcut on the Desktop. Very un-corporate and something that most entprise environment’s frown on.

    There was no easily documentated method of stopping this behaviour without seemingly needed to create an MSI install for yourself. With this in mind we binned deploying it in our environment.

    In their favour it’s one of the rare applications I’ve seen that works nicely with GPO and comes with it’s own ADM’s.

  7. runIt says:

    Well… there is a learning curve involved with using MSI (properly). Quite a few people still see installation as glorified xcopy and have trouble understanding the MSI way.
    Most likely they did this as a way to distribute something that they already knew worked and at the same time get their feet wet with MSI.
    I think you will see a proper Windows installer package with the next iteration of the product.

  8. Rob-

    I’m usually nodding my head with you, but come on, Microsoft did the EXACT same thing with the Windows Media Player 9 Administratios Deployment kit that we talked about a couple blogs ago.

    Perhaps if AD GPO wasn’t so restrictive in only understanding MSI people wouldn’t feel the need to wrap legacy installer in a pseudo-msi package.

  9. Sorry for the back to back posts but I want to drive my point home a little more. InstallShield has done the exact same thing also. Take a look at the MDAC 27 ENU merge module that InstallShield distributes. All it does is sequence a custom action that shells out to a legacy installer to install the MDAC redistributables.

    And you want to know where they got that idea from? MICROSOFT!

    Read this one in case you’ve never seen it:

    http://support.microsoft.com/?kbid=320788

    In the above link there is a download of a white paper that ( SUPRISE ) teaches how to create a merge module with a custom action to call out to the MDAC setup.

  10. Leon Zandman says:

    Christopher is absolutely right. I was amazed at Microsoft’s MDAC merge module solution when I first encountered it. I still find it very weird that Microsoft doesn’t provide nice merge modules for MDAC (and some other technologies). And the merge modules that they do provide often contain errors, that cause my installers to fail ICE validation.

    BTW Rob, how did you know it was created using WiX? Did they use the GUI library? Or did they use a WiX custom action?

  11. I haven’t looked at the inner workings of the structured storage, but if you look at the MSI with a hex editor or even notepad/strings command you can see it branded:

    Windows Installer XML v2.0.3309.0 (candle/light)

  12. I just looked at the WiX source.  Take a look at the UpdateSummaryInfor() in binder.cs.  It’s being stored in Property 18 ( PID_APPNAME for those of us who like to use constants ).  

    BTW, too bad ORCA doesn’t display this property… 🙂

  13. Leon, Christopher Painter is correct.  The Application Summary Property in the Summary Information stream is updated by the WiX toolset as per the MSI SDK:

    Creating Application Summary Property

    The Creating Application Summary property conveys which application created the installer database. In general the value for this summary property is the name of the software used to author this database.

  14. Leon Zandman says:

    Ah, thanks for your explanation.

  15. I didn’t mean to put Rob on the spot with my comments.  But I was hoping to get his opinion on the points that I raised.

  16. Oh, Christopher, I wasn’t trying to avoid commenting.  You’re comments are actually a great segue into my next couple *big* posts.  Also, remember I’m trying to answer more comments and blogs with my own blog posts: http://blogs.msdn.com/robmen/archive/2006/01/07/510425.aspx.  I haven’t forgotten, I’m just lazy.  <wink/>

  17. I’ve read that thread, and I took it to mean instead of making comments on other peoples blogs make posts on your own.  I didn’t take it to mean don’t make comments on your own posts on your own blog.    To me comments on a blog helps keep topics together.

    I personally don’t mind making comments on other proples blogs, it shows respect for that person.  It says I was here and I deemed the post good enough to contribute.

    For me to only make comments by making posts on my own blog seems like a selfish way of saying I’m too important  to make a comment on Robmen’s blog and I’d rather draw everyone to my blog instead.

    I don’t make posts on my blog to satisfy some sense of self-grandure.  I do it to share my thoughts in the hope that it will help someone else with their problems.

  18. Christopher, I feel that trackbacks remove the selfishness/self-grandure angle of your argument.  If I just have a quick comment, then I’ll leave a comment on someone elses blog.  However, if I have a intricate counter-point or I want to expand on their point with more than a paragraph, I think posting a blog entry and leaving a trackback to the appropriate blog entry (on my own blog or others) is very reasonable.  And honestly, after seeing Scoble do so on their blogs for a while, I think I prefer it… because he points out interesting comments that I might have otherwise missed.

    To respond to some of your comments above, I have been thinking about a particular blog entry (or 3!) for about a month trying to get the points all organized in my head.  It isn’t something I’m just going to whip up and drop in a comment somewhere.  It is going to take a me more than a couple hours to write and I’m going to want it spell checked and I’m going to want to make sure I save drafts in case the browser refreshes or whatever.

    See, already, this comment here probably should have been posted as a blog entry.  It demonstrates a lot about what I believe and now it is hidden under the title "Googal Toolbar Beta for Enterprise a ‘Trojan Horse’ MSI package."  

    How many people do you think are going to find this great discussion between us (and I do mean that sincerely, not sarcastically) here?

  19. Sincerly, I read everyone of your posts and everyone of the comments on them.  The same goes for several other setup bloggers.   It’s a small community and I never want to miss a chance to learn something new.

    In my blog ( now mostly defunct since blogging is verbotten in my new job ) I’m not worried about reaching lots of people but just the ones that find it interesting.  In fact I barely get any traffic now, sad, but understandable considering the circumstances.  Still maybe one day I’ll be able to publish again.

    And for the selfishness/grandeur comment, I wasn’t talking about anyone other then myself.    The only other argument is when I post a comment on your site I’m giving you the respect to be able to choose to moderate or remove it if you like.  I’m afraid too many people could get tempted to go blog some nasty comments on their own site where you don’t get the same respect shown to you.

    But eitherway you are right.  This hole topic is thoroughly hijacked now!    In fact feel free to delete all of these comments if you like!! 🙂