RealPlayer/RealDownloader poses as Firefox running on 64-bit Linux and sends HEAD and GET requests

I recently noticed some strange HTTP logs where a resource would be requested twice with two different User-Agent headers. In one case, the first request suggested the client was running Chrome on Windows, while the second request indicated that it was coming from Firefox on Linux. This didn’t make a lot of sense, so I did some digging.

The culprit turns out to be RealPlayer (and previously RealDownloader, a separate application that now seems to be abandoned). RealPlayer places an overlay over supported browsers (Internet Explorer, Firefox and Chrome and possibly others) that allows the user to save videos from web pages. It doesn’t seem to be a browser plugin as such – it runs in its own process and sends HTTP requests independently of the browser.

RealPlayer browser overlay

The software just happens to set the User-Agent header to something like Firefox running on 64-bit Linux. I sacrificed a virtual machine and installed all manner of RealPlayer software to try and reproduce this behaviour, and the latest version sends requests like the following:

My browser’s actual User-Agent header is:

Based on this blog post and this Yahoo! Answers question, the following User-Agent header was used by an earlier version of the software:

The Gecko build date and Firefox version number (but not the ‘rv’ token!) have been bumped up, but everything else (including the weird trailing ‘Chrome’ identifier) are the same.

I bet somebody got a really nice bonus for that feature: The ‘Get Windows 10’ notification area icon

As the great Raymond Chen once wrote:

I often find myself saying, “I bet somebody got a really nice bonus for that feature.”

“That feature” is something aggressively user-hostile, like forcing a shortcut into the Quick Launch bar or the Favorites menu, like automatically turning on a taskbar toolbar, like adding an icon to the notification area that conveys no useful information but merely adds to the clutter, or (my favorite) like adding an extra item to the desktop context menu that takes several seconds to initialize and gives the user the ability to change some obscure feature of their video card.

The ‘Get Windows 10’ application that Microsoft deployed to Windows 7 and 8.1 machines earlier this year as a recommended – not even optional – update (KB3035583) sure fits this bill.

In short, every eligible Windows 7 and Windows 8.1 user ends up with this icon in their notification area: Get Windows 10 Icon

Apart from looking fairly ugly (that top edge in particular is a blurry mess), there’s no way to close it even temporarily, short of killing GWX.exe in the Task Manager – note also that no-one thought to give it a descriptive name; it’s just ‘GWX’.

I understand Microsoft’s desire to have users promptly upgrade to Windows 10 (even if I wish they would delay its release by a year or so), but this kind of approach just destroys goodwill.