In the past couple of years we have had a few threads dealing with download aggregator sites which used ‘installers’ bundling genuine updaters with adware. CNet’s Download.com (successor to VersionTracker) and Softonic come to mind. Recent developments suggest that MacUpdate may have to be added to such sites, despite previous noises to the contrary. So far, not all updaters are adware-bundled (yet), but the fact that MacUpdate is actively ‘moderating’ complaints and cautionary comments (scroll down) on the affected pages doesn’t help spotting the ones that are.

Contrary to CNet’s Download.com, the adware-installer hobbled MacUpdate downloads are not immediately obvious as such; only after downloading and opening the XYZ Installer.dmg is the user presented with a nondescript ’MacUpdate installer’ instead of the properly named software. Suffice it to say that one should NOT run these, but navigate to the original software publisher’s website (a link is present on the software’s MacUpdate page) and download the official updater or installer directly from them. I plan to update this post when more specifics become available.

This is always the best policy, one I have followed from Day One.

In the latest development (at least as far as I have experienced it), MacUpdate uses what it calls a ‘MacUpdate Bundle’* to update certain software. I first noticed this today with MacUpdate’s Little Snitch 3.6.1 updater. It consists of a disk image containing several items, including a small Little Snitch updater file, (apparently to go with) the MacUpdate Desktop app, plus a folder called ‘Manual Install’ containing the LittleSnitch-3.6-5.dmg.

Note that this bundle does NOT appear to contain any adware**, but may be an attempt to increase the use of MacUpdate’s software auto-updating utility MacUpdate Desktop. The bundle image also contains a complete Little Snitch updater, albeit not the latest one, but version 3.6. MacUpdate also lists a link to the software publisher’s website, allowing the user to check or download an update directly.

Despite this potentially confusing development, I still think consolidator sites like MU are useful, if only as a means to track update availability. But their simple and safe usage may get compromised by 'value-added' bundles like these.


*) NOT to be confused with the MacUpdate discount software bundles.

**) I do not use the MacUpdate Desktop utility, and so cannot vouch for the absence of adware activities there, but I haven’t heard anything to the contrary either.

I always link to MacUpdate rather than developers' sites, because MU offers both positive and negative feedback and a link to the dev, whereas devs' sites frequently don't post negative reviews and rarely link to MU.

I guess that from now on I'll just have to add a caveat about carefully examining d/l's to see what's in them.

I'm not sure you can always examine a download to see what's in it until you have done the installation, at which point it is too late. Yes, I know you can use applications like Pacifist to examine packages, but not all installers are of that type.

But you have provided a solution—use MacUpdate to see what's new, to read reviews, etc., and then use the provided link to the developer's site for a direct download. I use MacUpdate this way and find it to be a useful site and service.

Pacifist is good for that but is trial-ware. There are terminal commands to do the same thing (Pacifist is merely a front-end for terminal commands) but they're not too user-friendly.

man pkgutil for more information

(Damn!!! I ran across an in-depth discussion of this subject between a MacUpdate editor and a poster, but I forgot about this thread and failed to make note of it. Sorry, guys. )

As per this screenshot of alternaut's referenced Little Snitch d/l, no examination of the package is necessary; all you need to do is be careful to click on "Manual Install"...ONLY!

Further discussion of Pacifist below, in case this issue descends deeper into the muck.

I've run across three solutions:

1. Pacifist app & QuickLook Plugin /$20 shareware
2. unpgk app/Donationware
3. Suspicious Package QuickLook Plugin/Freeware.

Here's a brief comparison of the three.

I read on another site something that leads me to believe MacUpdate includes the "miscellaneous" installers only if you are not a paid subscriber.

I am a paid subscriber and have never seen these other issues. Can someone who has experienced them confirm your paid/unpaid status?

Paid MU subscribers - I'm not one of them. - run ad-free (Scroll down at Upgrade Your Membership.), but I've never seen any mention of how/if paid status affects the installer.

As a matter of fact, I've never seen any reference to the installer other than in posted complaints and the exchange I forgot to bookmark. (I know from that exchange that the installer is only trial-basis at the moment, but I don't know to what extent it's been implemented.)

Have you tried d/l'ing Little Snitch to see if what you as a paid subscriber get differs from the screenshot I posted?

FWIW I: I have a "paid" version of MU. Still, I routinely run DetectX & ScamZapper. So far, no miscreants noted. Whether 'tis a consequence of the "paid' MU or some other variable, I dunno.

FWIW II: Ya gotta love MU's business model: Feel free to use our site at no cost. Of course, you may well get infected. Or, use our site and not get infected. But to do that, you gotta pay us.

FWIW III: If you have LittleSnitch running in Silent Mode, you may care to check MU-- many connections to Google & the like. (I have blocked those with no adverse consequences.)

I don't harbor ill feelings toward MU. But a pox on their house would be nice...

MacUpdate attempts to explain it all: Installer Info

After reading MacUpdate's explanation I can no longer recommend MacUpdate to my non-technical Mac using friends. MacUpdate is assuming too much knowledge on the customer's part. For even a technically sophisticated and reasonably aware power user or near power user it would still be "use at your own risk".

From now on I'm going to link to MU for reviews and recommend d/l'ing via the dev's website link. Too many hoops to jump through otherwise.

Payment for functionality is fine; payment to avoid dis-functionality smacks of blackmail.