
Bing has been serving up malicious Google Chrome ads for months - wglb
https://www.forbes.com/sites/jasonevangelho/2018/10/27/stop-using-microsoft-edge-to-download-chrome-unless-you-want-malware/
======
emmelaich
I mentioned this in a comment over a year ago in a story about paint.net.

[https://news.ycombinator.com/item?id=14338174](https://news.ycombinator.com/item?id=14338174)

> _The Bing search engine is about as bad. A close friend used IE to get
> Google Chrome. They clicked the first result and luckily I was able to stop
> them before starting the install on some crapware.

So I asked them to be careful to ensure the download site is correct and left
them to it.

I came back to find they had downloaded some other crapware.

I checked the search results. The ENTIRE first one and a half page of results
were advertisements for versions of crapware which may or may not have been
Chromium or Chrome lookalikes with lots of malware._

~~~
AnonymousPlanet
This is exacltly what you would get if you'd deliberately moved all links to
the legitimate site way down. Maybe because it's your competition?

~~~
hayksaakian
Or if Bing was more susceptible to spam and abuse than Google

~~~
kakarot
Well after Bing got busted for scraping Google's results, they had to scramble
to implement their own terrible search algorithm.

------
weinzierl
Call me paranoid, but every time I install software on Windows [1] I do the
following dance:

1\. Search for the name of the software on Google [2].

2\. Open link to software in separate tab.

3\. Open Wikipedia link (usually on the same SERP) for software in separate
tab.

4\. Compare domain name from direct link with the domain name from the
Wikipedia article.

5\. Open another tab and type domain name manually.

6\. Find download link manually on domain[3].

I do this since a family member got burned badly by a malicious OpenOffice
install many years ago.

[1] _Sometimes I do it on Mac too, because the App Store has it 's own issues
(e.g. upgrades are often cheaper if you buy software directly). On any other
system I use the package manager. All of this makes the effort bearable
because I only have to do it rarely._

[2] _I 'm usually on DuckDuckGo, but for this I always used Google. The reason
is that I had hope that they'd remove malicious results quicker. It's manual
work after all and Google has more resources. This whole thread makes me doubt
though._

[3] _I 'd do this anyway because I usually don't want to install the version
that is automatically suggested, but decide myself which specific version I
want to install. Most of the time the reason is the language._

~~~
kayone
Disclaimer: I'm the author/maintainer for AppGet [0].

What you explained here is one of the main selling points (as in convincing,
appget is completely free) for appget.

AppGet pretty much automates what you explained here and more.

We automatically download and validate SHA256 of downloads (We have a strict
policy of only allowing releases from the official source)

All package info that is used to install applications are fully public in our
GitHub repository [1] (think homebrew)

Also, for less tech-savvy users, they can install applications through our
gallery e.g.
[https://appget.net/packages/i/chrome](https://appget.net/packages/i/chrome)
using appget as long as they have appget installed on the machine.

[0] [https://appget.net](https://appget.net)

[1]
[https://github.com/appget/appget.packages/tree/master/manife...](https://github.com/appget/appget.packages/tree/master/manifests)

~~~
flamtap
I use Chocolatey right now. Are there any particular advantages that AppGet
offers over Chocolatey?

~~~
kayone
There are a few :)

AppGet doesn't use custom scripts on install; everything is defined by data
(YAML files). The client uses the data in the manifest and knows how to deal
with different installers. This alone makes appget more secure; if you trust
the client (it's opensource and managed by the core team) you don't blindly
run a PowerShell script as admin on your machine.

Also, adding/updating packages is trivial since all you need to do is
update/create a very simple YAML file. Another benefit is we can upgrade the
client to better deal with let's say MSI installers, and none of the manifests
need to be updated since all the logic is in the client, the manifest only
needs to identify itself as MSI.

This also means you can install an app in different interactivity levels,
Silent (everything happens in the background), Passive (you see the installer
and progress, but you don't have to click next or do anything) or Interactive
(appget downloads and validates the installer and just launches it for you,
but you can run through the installer and customized it as you see fit)

Our packages are more up-to-date. We have a crawler that checks for updates on
regular bases, we use GitHub api, and check vendor sites constantly (over 500K
of check events per day). Trivial updates are automatically pushed to the
repository, For non-trivial ones the bot automatically creates a pull-request
on GitHub to be reviewed by a human. Most cases we pickup updated releases for
apps within hours.

AppGet can list, upgrade and uninstall apps that aren't even installed using
appget. We check windows installer database as the source of truth. You can
download appget right now, run "appget outdated" and I guarantee it'll find
outdated apps for you.

I'm sure there are more things, this question comes up a lot, so I'm gonna
spend some time and add a page to the documentation just for this.

~~~
kakarot
Chocolatey completely turned me off from Windows package managers. I'm sure
you're familiar with all of the sore points that make it more hassle than it's
worth.

But your description of AppGet has convinced me to try it out. Thank you!

Edit: There seems to be no obvious way to globally set the install location
for apps. This is critical for my setup, I don't install apps in Program
Files, because my Windows partition is lean and on an ssd that is shared with
other VMs. Apps are installed in another drive location. Is there any way to
do this currently?

~~~
kayone
Thanks for the feedback, right now there is no global way to set this.
However, I just created a GitHub issue for it
[https://github.com/appget/appget/issues/14](https://github.com/appget/appget/issues/14)

In the meantime, what you can do as a workaround, is to use `-i` param when
installing apps to launch the installer in interactive mode. That will let you
run through the installer and customize everything including the install
location. I know it's not ideal, but if you want to use appget to
automatically download, validate the installers and check for outdated apps,
it might be a reasonable work-around.

~~~
kakarot
Still a good enough workaround to leverage the benefits of the trusted
repository. Thanks for the tip! Definitely interested in seeing #14 get
addressed :)

------
codedokode
I remember when several years ago I typed "download Flash" in Russian Google,
there were non-official sites in top results. Now Adobe's site is the first
result.

Also I tried to experiment a little. If I type "download flash player" in
Russian, official Adobe site is only on the 3rd position [1]. The first and
second results are "adobe-flash-player.ru.softonic.com".

[1]
[https://www.google.com/search?q=%D1%81%D0%BA%D0%B0%D1%87%D0%...](https://www.google.com/search?q=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D1%84%D0%BB%D0%B5%D1%88+%D0%BF%D0%BB%D0%B5%D0%B5%D1%80&btnG=%D0%9F%D0%BE%D0%B8%D1%81%D0%BA&gbv=1)

~~~
Ayesh
I always hate this Softnic crap. Softonic and Pinterest are cancers in SERPs.

------
greenyoda
The title of this article is deceptive clickbait.[1] The problem has nothing
to do with the Edge browser, it has to do with search results returned by
Bing, which happens to be Edge's default search engine. If you have a new
Windows 10 PC and want to download Chrome, how else could you do it besides
"using Microsoft Edge to download Chrome"? So "stop using Edge to download
Chrome" is not useful advice. Better advice would be to check the URL and
certificate information before downloading anything from any site.

And the problem seems to have been fixed. When I search for _chrome download_
on Bing, the top result is
[https://www.google.com/chrome](https://www.google.com/chrome).

[1] Successful clickbait, too. Writing an article with "download Chrome" in
the title apparently got them the top spot in Bing's "News about Chrome
Download", so anyone who searches for "chrome download" will see this article
near the top of the search results page. Very clever.

~~~
josteink
> If you have a new Windows 10 PC and want to download Chrome, how else could
> you do it besides "using Microsoft Edge to download Chrome"?

Simply visit Google.com, Gmail, Youtube or any other Google-site and await the
Chrome-spam 100% guaranteed to appear in any browser not Chrome.

My favorite one: “Upgrade your browser”. Not misleading at all, eh? How about
“no”?

~~~
TaylorAlexander
This is a tangent/pile-on, but this is not the only dark pattern google
engages in. I absolutely do not want YouTube Red. Any software that respects
the user would let you dismiss the offer with an option for “do not ask me
again.” And yet, because the software is not respecting the user, YouTube asks
me ad nauseum if I want to upgrade to YouTube Red. No. I do not. But I don’t
get an option for no. There is something like “yes” and “maybe later.” No
google. My answer is no. Please respect me enough to let me make that choice.

~~~
broknbottle
Would you like to try YouTube Red for 30 days?

~~~
ninju
No thanks (again and again) :-)

------
the_clarence
FWIW Google also returns malicious chrome ads. My father had a brand new
laptop and the first thing he did was to google chrome. He got a bunch or
malware by clicking on the first link.

~~~
EpicEng
There was a short time about seven years ago when Google was returning a
malicious link for Blizard's BattleNet. Had my WoW creds stolen and I wasn't
what you would call naive on a computer.

~~~
bhauer
That sucks.

I know it's a tired point, but it nevertheless amuses me that someone would
_search_ for BattleNet. The name is literally the domain name: battle.net.

~~~
the_clarence
This is not a very clever point. Plenty of things used to be caller
"somethingnet" in order to advertise their ties with the internet. It was
never about a tld. Kind of like how having "block" or "chain" in your app's
name makes you "cool" nowadays.

~~~
cptskippy
I wonder if it was to associate with the internet or with Microsoft branding.

Microsoft went apeshit and called all their products .NET in the early 2000s.
The branding was all over the place so I could see how calling your product
*net might get you installs by association.

------
azifali
Unfortunately the problem is not with Bing alone. There are multiple ad
networks including admob owned by google, who will serve a url, or sometimes a
script for an ad. That is unfortunately just how advertising works.

The industry never matured (to handle spam, malicious content or fraud) thanks
to the Duopoly of Fb and Google, and even the biggest players are not immune
to these issues as the onus is on the user to not to click on ads that offer
to upgrade browsers, or any system software through ads.

It is the same systems that served malicious election results, the same
systems that contributed to the echo chambers that impacted recent elections.

~~~
wtracy
Ironically, this should have been an opportunity for Bing to differentiate
themselves:

Create a "safe" ad network that is not a vector for drive-by downloads or
privacy violations, and go after publishers that are being hurt by ad blockers
or experiencing reputation damage from security breaches.

~~~
pishpash
Given the cutthroat short term metrics these companies' employees operate
under, do you really think such strategic thinking would have ever been
incentivized? It's a question whether any salutary effects can even be
reliably defined and measured to justify such a project to your boss.

------
Sephr
Explanation for the spoofed domain name:
[https://twitter.com/sephr/status/1055751684146655232](https://twitter.com/sephr/status/1055751684146655232)

Bing can easily fix this domain spoofing vulnerability. I've reported this
vulnerability to MSRC previously but received no response.

This is also why open redirects can be so dangerous. Even if this domain
spoofing vulnerability is fixed on Bing's end attackers can abuse open
redirects to achieve the same result.

~~~
nielsole
I don't think they will fix the underlying issue now. I've had the same issue
( literally trying to download chrome) in 2014. Now that they have public
pushback they will fix just this ad placement.

I wonder what makes them think this is acceptable.

------
JCSato
The argument to ditch Windows felt kind of shoehorned in.

If Bing is returning malicious search results, that's a reason to stop using
the search engine, _not the whole OS_. The October update fiasco is a reason
to stop using Windows. These are separate issues in separate projects made by
separate teams, happening at separate times.

The implication is that everything MSoft touches is insecure or otherwise out
to get me is weakly supported. It may or may not be true, but a quick toss in
of one data point about how Windows is bad and oh by the way Ubuntu is better
isn't convincing.

------
ocdtrekkie
The issue here is a broken functionality that I've reported on before with
Google Ads which Bing mirrors: Allowing advertisers to lie about the
destination URL of their ads.

Here's a screenshot of the same exploit on Google:
[https://plus.google.com/u/0/115181074626403443464/posts/fSPm...](https://plus.google.com/u/0/115181074626403443464/posts/fSPmYYLu2pH)
(The included hijack was blocked as a malicious site on Edge, but wasn't on
Chrome.)

Ads should always be forced to display in the URL text the actual URL the ad
directs the browser to. Maybe as a side bonus, less tracking URLs will get
used to keep it looking cleaner.

------
simongr3dal
I never quite understood the appeal of giving some unknown third-party the
right to put links and text and javascript onto your site.

It might be labour intensive to have human eyes on every ad that is sold when
you're at Google, or even Bing, scale. But it seems a little bit too hands-
off, and irresponsible, to take money without vetting the input and then
letting every scammer get into that very "blessed" and visible top spot of a
search page.

If you want something done right, do it yourself. You can't expect scammers to
not to be scamming.

~~~
arminiusreturns
I spent some time trying to understand googles ads and seo structure for a
project, as a sysadmin. My conclusion was the reason greyhat and blackhat
techniques werent dealt with was because they make too much money from it... I
wrote a big report on it, but that was the gist. Im sure the same is true of
MS et al.

~~~
solarkraft
If the report is public, would you link it?

~~~
arminiusreturns
Its not, sorry, I dont even have a personal copy, but it could be worth
redoing it publicly on my own.

------
nhkssol
Bing makes it clear when a site is promoted by prepending "ad" to the search
result. Other search engines such as DuckDuckGo and Google do the same.

It is near impossible for Bing to manually review every advert so perhaps it
would be beneficial for search engines to provide a way for users to report
rouge promoted links, similar to how YouTube allows you to report its sidebar
ads.

~~~
ravenstine
> It is near impossible for Bing to manually review every advert

Why? Are there hundreds of ad campaigns being created per second?

~~~
nhkssol
It would be possible to handle the quantity of ad campaigns, but not without
false positives or missed fraudulent ads.

If you paid a person or a team of people to remove adverts promoting fake
websites, the person reviewing the advert would have to understand the product
being sold, the company selling the product and the companies real website.
For Chrome this may be easy, but for more obscure projects such as a
cryptocurrency wallet or email client it'd be hard for a person to distinguish
between real and fake continually over the course of an 8 hour work day.

People who are searching for a product already understand that context and so
will be able to make a less erroneous judgement on whether a promoted link is
real or fake.

~~~
pavel_lishin
> _It would be possible to handle the quantity of ad campaigns, but not
> without false positives or missed fraudulent ads._

That calculus applies to just about everything.

------
OliverJones
It's possible to install Google Chrome on a Windows box with chocolatey, the
Windows answer to apt and brew.

But, still, Microsoft's browsers still aren't good. In my workplace (where we
do some complex cross-browser work) they're an enormous nuisance to
development and QA. I wish Edge were far better than IE, but they're both
quirky. Firefox and Google Chrome ordinarily work predictably. Safari has a
few quirks, Edge is really quirky, and IE is a narrow gauge steam train, all
different.

Why doesn't Redmond stop throwing good money after bad and just license
Firefox? Are they stuck in the sunk-cost fallacy?

~~~
discreditable
Chocolatey is very handy but has a few warts. It can't tell if the underlying
app has self-updated. When Chrome autoupdates after choco install, the next
time you run a choco upgrade, it will unnecessarily upgrade Chrome again.

~~~
kayone
take a look at appget, we use windows itself as the source of truth. so even
if an app self updates, or you have installed the app manually or even using
chocolate, appget will know the _currently_ installed version.

also, we don't run some random PowerShell script written by god-knows-who on
your machine. All installs are driven by pure data, so the only thing you need
to trust is the appget client itself.

e.g.
[https://github.com/appget/appget.packages/blob/master/manife...](https://github.com/appget/appget.packages/blob/master/manifests/slack/slack.yaml)

------
michaelmrose
Perhaps since MS makes only a tiny minority of their income from ads they can
ship an effective adblocker with their default browser. It could be great
opportunity to lead the market in a customer friendly way.

~~~
greglindahl
All of bing's revenue comes from ads. Somehow I don't think Microsoft is
planning on disabling bing ads in the Windows default browser.

------
AzzieElbab
Bing is likely to return spam and scams on any search. There is no conspiracy
against Chrome.

~~~
userbinator
Incidentally, the relative lack of filtering/censorship also means I've had
far more luck "Binging" obscure/fringe/questionable-content sites than with
Google. I suppose them receiving fewer DMCA takedowns also contributes.

~~~
AzzieElbab
I guess there is an upside to everything. I would definitely use bing if I
wanted to compile a list of scammers or something along these lines

------
bencollier49
Have to say, I was looking for a way to get away from Google, and I found that
Duckduckgo's results didn't work for me. Bing, though, does the job nicely.

~~~
SyneRyder
+1 here. I switched to Bing back in April when a Google algorithm update
really trashed Google's results for me (it felt like I'd suddenly gone back to
the days of Altavista & HotBot). At first my switch to Bing was out of spite,
but 6 months later I'm still using Bing & I love it. I really like how it
breaks out code snippets for StackOverflow results, for instance.

So it's frustrating to see Bing hurt their reputation with something as stupid
as this. If Microsoft want more people to switch, they've got to be at 100% in
all areas, they can't afford to let Bing Ads ruin the whole service.

------
beagle3
.. and that's why running an ad-blocker these days is not even a moral
question; It's proper hygiene. I don't eat without washing my hands first, and
I don't browse without an ad blocker.

~~~
NelsonMinar
I'm with you on that, but in this specific case people are using Edge exactly
once on a new machine in order to download Google Chrome. It's reasonable to
assume they aren't going to bother installing an ad blocker on Edge for this
use.

~~~
Tsubasachan
Pretty sure malwarebytes would catch this. Or any AV.

Malware like this targets the lowest hanging fruit I guess.

------
jamieweb
Using browsers to download software should never have become the standard
practice...

Linux got it right with the built-in package repositories. Unfortunately
Windows and Mac have never really adopted the super-easy "apt install this"
style.

~~~
partiallypro
Yeah, I mean obviously what the average users wants it to have to type in apt
get commands and finding the slug to get the right package instead of clicking
a link. Very intuitive.

You know how Google & Firefox could easily help fix this? List their browsers
in the Mac and Windows Store.

~~~
Dylan16807
Browsers are banned from the Windows Store. For 'security' reasons.

It's tricky to get win32 apps in general into it, too.

~~~
partiallypro
No they aren't, the UC Browser is listed in the Windows store (third most
popular mobile browser in the world,) along with some others. Microsoft has
been very willing to help companies list Win32 apps in the Windows store,
especially large ones.

~~~
Dylan16807
Interesting. But I think UC Browser is special by being sort of a thin client.
The store policy is quite clear: "Apps that browse the web must use the
appropriate HTML and JavaScript engines provided by the Windows Platform."

For general win32 apps I do think the situation has improved since I last
looked.

------
a3n
_Ads considered harmful._

------
iamgopal
For the all the shit Google taking lately, we should give them a big shoutout
when their own cloud pages and other product pages rank way down in their own
Google search ranking.

------
nobody271
It looks like they've fixed it but a few months ago I googled "Microsoft
Customer Support" and the top results were all to obvious scam sites.

------
xmodem
I often dig into phishing and malware spam I receive, reporting it to the
abuse@ address for the sending network, and reporting any links hosting
malware.

I frequently come across malware hosted on onedrive and I've stopped bothering
to try to report it, its still there months later and I've never received a
response from Microsoft.

------
red_admiral
It always used to be fun to count how many malware sites appeared before the
real one when you searched for "download vlc" with yahoo. They've fixed that
one now, but in 2017 it was still definitely a problem.

------
zawerf
[https://www.youtube.com/watch?v=g-U7a04GTpk](https://www.youtube.com/watch?v=g-U7a04GTpk)

------
vxNsr
I usually use ninite to set up first time downloads, it's great because you
can just run it again every couple weeks to make sure all your software is up
to date.

It avoids using malicious options accidentally and it also means I don't need
to go through each installer. Plus I can just send the file to friends and
family when they get a new comp.

edit: just wondering why people disagree with this idea?

------
kerng
This is another reason why the ad business is flawed.

------
holri
The real problem here is that a system allows users to install unsigned
software.

~~~
porlune
From the article: >>> The download itself is called "ChromeSetup.exe," but
examining the digital signature reveals "Alpha Criteria Ltd." >>>

It was signed, but most users won't catch that it's signed by the wrong party.

------
natuz
This has been happening for so long that it's hard to believe Microsoft is not
aware of it.

~~~
ocdtrekkie
Given the malware Google's ads also ship, which Googlers here on HN have tried
to have removed only to return an hour later, suffice to say malicious ads are
an industry pervasive problem, and the solution is to kill the online
advertising market. Aggressively.

In fact, when I tried to look for a specific class of malicious ads (looking
for "mapquest") recently, DuckDuckGo was even as bad as Google, it was Bing
who gave the least malicious results. But obviously they've failed here.

Automated advertising platforms have been overrun by malware and no automated
solutions are going to fix it.

~~~
jamieweb
Nowadays it's impossible to support the creators you enjoy online by
whitelisting ads without exposing your device to multiple megabytes of
untrusted, vulnerability-filled JS and iFrames with links off to malware
sites.

I think that the sponsorship model many YouTubers use these days works really
well, because there isn't any code involved that I have to run.

~~~
matt4077
I don't remember "untrusted JS" being any sort of problem in the last, say, 10
years?

Now I'm sure you can dig up some vulnerabilities, and a select few of them may
even had (remote) exploits. But I've never run into any problems, and I'm not
especially careful, have been around the seedy underbelly of the web, and
don't run any anti-virus. Just not clicking on any .exe that suddenly
downloads seems to be enough. Being on MacOS rather than Windows may also
help, although as far as I can tell, security on Windows today is also far far
better than it was a decade or so ago.

Considering all that, I can't shake the suspicion that people complaining
about JS vulnerabilities to defend their use of ad blockers are just searching
for justification.

~~~
clarry
Not "JS vulnerabilities", but things that waste memory & cpu cycles and in
worst case exploit your PC for things like bitcoin mining.

Also consider that most browser vulnerabilities -- not "JS vulnerabilities"
\-- are virtually impossible to exploit without JS.

------
rustcharm
This one is especially bad, but there's a major problem in general. I have to
constantly warn people not to "google" for printer drivers or video drivers,
etc, because the links they'll get from any search engine are almost certain
to be malware.

------
Tsubasachan
I am always amazed people actually fall for these.

------
dunpeal
Microsoft back to its old tricks, I see.

------
ledriveby
Too bad Edge doesn't support Safe Browsing mode. IIRC the API is publicly
available too; MS doesn't want to swallow its pride and implement a client for
it.

------
michaelmrose
So basically Microsoft's browser isn't even safe to use temporarily to
download a real browser. In 2018 can we stop pretending that any web browser
is a safe effective way to acquire any software. While it can be done people
have been consistently getting pwned for decades now.

Software should be distributed via apps stores. Preferably vetted lists as
opposed to free for alls you can post malware to for $25.

Linux has been doing this correctly for a long time. Any time you guys at
Microsoft want to rip this off properly would be absolutely fantastic.

~~~
jamieweb
The scariest thing about this example is that the green "URL" below the ad
says "www.google.com". Who thought it would be a good idea to allow
advertisers to fake the URL like that?

Unless it's an IDN homograph attack?

