Creative: Advertising Spyware

[jerry]

Advertising Spyware: NewsUpd.exe

NewsUpd.exe is a spyware program that is silently installed when installing certain Creative Labs hardware, including the SoundBlaster 16. This program is not disclosed in the License Agreement or mentioned in the relevant documentation.

This really burns me up. This isn't some sleazy shareware application downloaded from God-knows-where, but legitimately purchased hardware from a legitimate-looking company, that is installing advertising spyware along with its hardware drivers!! This is a clear betrayal of user trust. (Ed. note: I discovered this particular piece of spyware when installing a Creative Labs SB16 on my OWN system, so I am quite obviously angered. The heads-up came when Zone Alarm alerted me that an unknown application newsupd.exe was trying to access the Internet. Creative has yet to make good on my request for a refund on my advertising-subsidized hardware purchase.)

The spyware components are not mentioned in the License Agreement presented with the software install and registration nag. The only possible "disclosure" is a section of the License which states:

Creative does not warrant that the functions contained in the Software will meet your requirements or that the operation of the Software will be uninterrupted, error-free or free from malicious code. For purposes of this paragraph, "malicious code" means any program code designed to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the computer, computer system, or computer network, including viruses, Trojan horses, droppers, worms, logic bombs, and the like.

The program downloads "news" (advertisements) from http://ctnews.creative.com, a dedicated ad server.

This may be from an updated (or entirely new!) version of Creative Labs spyware, but the unmistakable AdvServ.sys and similar files indicate beyond reasonable doubts, they are indeed files of some NewsUpd.exe variant. The URL lines in AdvServ.sys and Default.sys point to tg.creativeinspire.com. At the time of this writing (21-Jun-2001), accessing the home page returns this document (containing "f*ck CHINA Government, f*ck PoizonBOx"), apparently resulting from infection by the sadmind/IIS worm. The worm uses a recently-discovered buffer overflow exploit to take over (root) the server. (Does newsupd.exe have auto-update functions? If the server running it has been compromised, what might this server hold in store for hapless users' newsupd.exe connecting to it...)

On Dell systems, Creative's spyware file is named UPDTRAY.EXE.

FileMonitor log for NewsUpd.exe - I found the reading/writing of IE cache files particularly disturbing...I hope this is a natural phenomenon related to NewsUpd possibly using IE libraries to download and display ads, and nothing less above-board :-(

Source

Any Creative soundcard owners care to confirm this for us ? :unsure:

[kennyout]

sad fact when good companies allow this...

of course I expected Dell to hold crap like that anyway....but Creative?.....just not right...

lucklly i don't buy sound cards....because I don't know sound well enough to know anybetter...but i do have their 5.1 5200 Speakers

[DigitalN.]

wow, I dont have anything like this, but I guess I wont be using any Creative sound cards anytime soon, until they dont implement this anymore :(

[OptiPlex]

Hmm, don't use the InstallShield installer then. Install manually...

[kennyout]

or just install a driver from their site?.....hmmm....wonder if its in there too?

[Furrybeagle]

Maybe the UPD stands for update? Seems logical to me...

[Ivand]

damn... I'd never thought of Creative bludling spyware.. :blink: :no:

[Veedems Veteran]

I've never had this file under any of my 5 or so creative cards through the years. Don't know what he's on.

[Emon]

I've never had this file under any of my 5 or so creative cards through the years. Don't know what he's on.

same here .. I own many many Creative products ..from AWE64 to Nomad Muvo2. None of their software/driver installer had this file in them.

and look how old this article is ..

At the time of this writing (21-Jun-2001)

:huh: :huh:

[jerry]

and look how old this article is ..

:huh: :huh:

sorry didnt see that part. :pinch:

[xxpor]

isnt the blaster 16 for windows 3.1? lol

[L3thal Veteran]

Never saw this proccess running on my computer and I did install their latest drivers for my Sound Blaster Live!

[blackcoffee]

Wow; that is so lame............ :angry:

[sizduman]

that evil....evvviiilllll

[Nelsinho]

Never saw this proccess running on my computer and I did install their latest drivers for my Sound Blaster Live!

same here :yes:

[episode]

At the time of this writing (21-Jun-2001)

::welcome to last year:: x3

[AgEnTsMiTh]

Never seen this as well and I have owned a SB16. SB Live, and now an Audigy 2 ZS.

I think this is 100% BS

[tehJR]

ya same here, never had any issues like this.

[kabanero]

Never seen this as well and I have owned a SB16. SB Live, and now an Audigy 2 ZS.

I think this is 100% BS

No, it is not.

I still have original SB Live sound card. And when I was using Createve drivers it was isntalling that NewsUpd.exe file.

Now I use KX Project drivers and everything is great.

Here is the link if anybody interested in KX drivers:

KX Project drivers

[joker999]

Hmmm kabanero: 1 post.

[Sartoris]

I have the Audigy 2 ZS Platinum and with the drivers and MediaSource installed. No spyware on my computer.

[Marduk]

I've got an Audigy 2 zs with drivers and all that junk installed also spyware free.

[Daybreak]

NewsUpd exists. I recall seeing it run, while it was way back then (more like the era of Windows 95), and even then, I recall it as a startup application (run once, disappear) rather than a task hanging around in the background.

Haven't seen it in any new Creative drivers for any reasonably modern soundcard anymore though :p

[morkuma]

<booradley> I'd like to perform a one act play I call, "Creative screwed me like a bitch"

<booradley> <audigy> Buy me! I'm ever so sexy

<booradley> <boo> ok. come home with me and we'll play among the stars

<booradley> <audigy> tee hee! I love you, boo!

<booradley> <boo> I love you too, audigy

<booradley> :: later ::

<booradley> <boo> there, you're all installed. how do you feel?

<neshura> down in front!

<booradley> <audigy> LET JESUS **** YOU! VRAAAGH!

* audience gasps.

<booradley> * audigy is putting noise across your PCI channels

<booradley> <hard drive> Mein leben!

<booradley> * hard drive has died

<booradley> <audigy> Blaaah! blaaaugh! your mother sucks cocks in hell! graaagh!

<booradley> <modem> aaieee

<booradley> *modem has died

<booradley> and the new modem I got connects at 32k tops

<Shendal> By far, that's the best one-act IRC play I've read this season.  Do I smell a Tony award?

[rob2090]

<booradley> I'd like to perform a one act play I call, "Creative screwed me like a bitch"

<booradley> <audigy> Buy me! I'm ever so sexy

<booradley> <boo> ok. come home with me and we'll play among the stars

<booradley> <audigy> tee hee! I love you, boo!

<booradley> <boo> I love you too, audigy

<booradley> :: later ::

<booradley> <boo> there, you're all installed. how do you feel?

<neshura> down in front!

<booradley> <audigy> LET JESUS **** YOU! VRAAAGH!

* audience gasps.

<booradley> * audigy is putting noise across your PCI channels

<booradley> <hard drive> Mein leben!

<booradley> * hard drive has died

<booradley> <audigy> Blaaah! blaaaugh! your mother sucks cocks in hell! graaagh!

<booradley> <modem> aaieee

<booradley> *modem has died

<booradley> and the new modem I got connects at 32k tops

<Shendal> By far, that's the best one-act IRC play I've read this season.  Do I smell a Tony award?

:laugh: