How can you call it browser hijacking when they show you exactly what they are doing and give you the option to change it? If they did it without telling you, sure, but they don't in this case, and it isn't buried in an end-user license agreement or other vague text.
A number of readers wrote to me to make a similar point regarding Microsoft's (MSFT
) handling of a patch of a "critical" vulnerability in the MSN Messenger instant-messaging program. I took exception to part of the procedure in which, unless you were careful to uncheck an option, the upgrade would set your Internet Explorer home page to msn.com.
This home page option is routinely included in installations of MSN Messenger, whether first-time or of a new version. I feel strongly that software providers shouldn't change system settings by default unless they're essential to the proper functioning of the new program. But there's no question that software publishers are within their rights to make these offers, however aggressive. Indeed, Yahoo! (YHOO
) and America Online, among others, do the same thing.
GOING SIMPLE. A security patch, however, is not the same as a new installation or a routine upgrade. Security experts recommend that patches should do nothing but fix the problem at hand, not introduce new features or improvements that aren't security-related. A Microsoft spokesperson says the current design of MSN Messenger required that a new version be downloaded rather than just a patch, as is common with other components. Microsoft is trying for simpler patches in the future, she says, "but unfortunately we aren't there yet."
But even if it needed to replace all of Messenger, Microsoft should have provided a clean installation that fixed the vulnerability, period. It would, frankly, be a lot easier for me to accept Microsoft's oft-repeated claim that security is the company's top priority if it would consistently stick to what is generally regarded as best practice in the security area. Wildstrom is Technology & You columnist for BusinessWeek. You can contact him at firstname.lastname@example.org