• A close look at how Oracle installs deceptive software with Java updates
    78 replies, posted
Not sure if this fits in this section. It's an article about the whole Java situation and why we should start dropping Java due to the fact that it's just asking to be dropped. (Mods can remove this if they find this article to be too long etc) [TABLE="class: outer_border, width: 600, align: left"] [TR] [TD][TABLE="width: 950, align: left"] [TR] [TD][h2]A close look at how Oracle installs deceptive software with Java updates[/h2][B]Oracle's Java plugin for browsers is a notoriously insecure product. Over the past 18 months, the company has released 11 updates, six of them containing critical security fixes. With each update, Java actively tries to install unwanted software. Here's what it does, and why it has to stop.[/B][/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][TABLE="width: 700, align: center"] [TR] [TD="align: center"][/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][TABLE="width: 850, align: center"] [TR] [TD]Congratulations, Oracle. Java is the new king of foistware, displacing Adobe and Skype from the top of the heap. And it earned that place with a combination of software update practices that are among the most user-hostile and cynical in the industry. In coordination with Ben Edelman, an expert on deceptive advertising, spyware and adware, I've been looking at how Oracle delivers Java to its customers and who it has chosen to partner with. The evidence against Oracle is overwhelming. Specifically: • When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner. • With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naïve enough to trust Java’s “recommendation,” you end up with unwanted software on your PC. • IAC, which partners with Oracle to deliver the Ask toolbar, uses deceptive techniques to install its software. These techniques include social engineering that appears to be aimed at both novices and experienced computer users, behavior that may well be illegal in some jurisdictions. • The Ask.com search page delivers inferior search results and uses misleading and possibly illegal techniques to deceive visitors into clicking paid ads instead of organic search results. I’ve spent the past weekend installing and updating Java on an assortment of physical and virtual test PCs to see exactly how the Java updater works. Here’s what I found. When you install Java on a Windows PC for the first time, the installer includes this step, which I’ve previously documented: [img]http://cdn-static.zdnet.com/i/r/story/70/00/009830/java-ask-foistware-516x393.png?hash=LGt1A2MxBQ&upscale=1[/img] Notice how the check box for that Ask toolbar is selected already. If you click Next or press Enter, that toolbar is installed into Internet Explorer, Chrome, and Firefox. But surely you can just clear that checkbox, continue, and move on. Right? Well, yes. Until there’s an important security update, which happens with depressing regularity to the Java browser plugin. (There have been 11 updates to Java SE 7, including six that fixed critical security issues, in the 18 months since its initial release.) Java’s updater forces the user to go through the same installation process, with the same pre-selected option to install unwanted software. The reason, of course, is money: Oracle collects a commission every time that toolbar gets installed. And the Ask installer goes out of its way to hide its workings. As I confirmed in my testing, when you update Java and simply click or press Enter to accept the default settings, the Java updater completes its installation first and displays this result: [img]http://cdn-static.zdnet.com/i/r/story/70/00/010038/java-update-complete-v2-420x318.png?hash=Mwp2MQuzZQ&upscale=1[/img] That dialog box is not telling the truth. In the background, the Ask toolbar installer continues to run, but it delays execution for 10 minutes. If you are a sophisticated Windows user and you missed the initial checkbox, your natural instinct at this point would be to open Control Panel and check Programs and Features. When you do, you will see that only the Java update has been installed. You might also check your browser settings to confirm that no changes have been made to your settings. You might conclude that you dodged a bullet and that the unwanted software wasn’t installed. But you would be wrong. The Ask installer is still running, and after waiting 10 minutes, it drops two programs on the target system. The only indication that this installer is running is a brief flash of the mouse pointer. A check of the Windows event logs shows that the installer completed its activity exactly 10 minutes after the Java installer finished, and the two Ask modules show up in the list of installed programs. [img]http://cdn-static.zdnet.com/i/r/story/70/00/010038/java-update-adds-ask-toolbars-v2-457x123.png?hash=MGOxAwH1MG&upscale=1[/img] I’ve never seen a legitimate program with an installer that behaves this way. But spyware expert Ben Edelman notes that in the early part of the last decade this trick was business as usual for companies in the business of installing deceptive software. That list includes notorious bad actors like WhenU, Gator, and Claria. In a new post, Edelman thoroughly analyzes the Ask toolbar and breaks down the deceptive behavior that the toolbar itself is associated with: • The Ask toolbar “takes over default search, address bar search, and error handling.” As Edelman notes, “That's an intrusive set of changes, and particularly undesirable in light of the poor quality of IAC's search results.” • If you use the toolbar’s search box, you’re sent to “an IAC Mywebsearch results page with advertisements and search results syndicated from Google [with] listings that are intentionally less useful -- focused primarily on IAC's business interest in encouraging the user to click extra advertisements.” • Unlike a Google search page, ads at IAC Mywebsearch lack “distinctive background color to help users distinguish ads from algorithmic results. Furthermore, IAC's voluminous ads fill the entirety of the first screen of results for many searches. A user familiar with Google would expect ads to have a distinctive background color and would know that ads typically stop after at most one screen … the user might well conclude that these are algorithmic listings rather than paid advertisements.” • The ads on the Mywebsearch pages ignore standard industry practice and Google rules and make the entire ad clickable, “including domain name, ad text, and large whitespace … IAC's search result pages expand the clickable area of each advertisement to fill the entire page width, sharply increasing the fraction of the page where a click will be interpreted as a request to visit the advertiser's page.” This is sleazy stuff. If you have installed this software, it affects searches you run from the address bar in any browser, including Chrome. Installing the Java update on my main PC hijacked the default search provider in Chrome 24 (the current version) and redirected searches from the Google omnibox (the address bar) to Ask.com. At no point was I asked for permission to make these changes to the settings in Chrome. (A reasonable person would not conclude that clicking "Next" in a dialog box to install an update has the same legal effect as "I agree" to a set of license terms.) [img]http://cdn-static.zdnet.com/i/r/story/70/00/010038/search-settings-changed-in-chrome-no-consent-v3-615x244.png?hash=BGH1ZQp0Lw&upscale=1[/img] The Ask search results for the title of my new book included seven ads at the top of the page, with background color and visual styles that were indistinguishable from web search results. Three of those ads were for deceptive or misleading "PC fix-it services" or software. One ad, ironically, offered an unauthorized download of the free Microsoft Security Essentials that included its own adware bundle. The actual result I was looking for was in the seventh position under the Ask web search results. The same search at Google.com included only one clearly labeled ad, and the best search result was in the third position in results. The screen below shows the ugly Ask toolbar and the Ask icon at the top of the Chrome window. Both were installed without informed consent and with no warning except the original misleading dialog box in the Java updater. [img]http://cdn-static.zdnet.com/i/r/story/70/00/010038/ask-search-results-in-chrome-620x331.png?hash=ZJIyAGR4MJ&upscale=1[/img] Uninstalling the Ask toolbar does not restore the previous search settings in Chrome 24. You have to make that change manually. The good news is that browser makers collectively are making it more difficult for toolbars like this to be installed and enabled inadvertently. • Beginning with Internet Explorer 9, new toolbars and other add-ons are disabled by default. You must specifically enable them before they’re active. • Mozilla Firefox has a similar add-on approval feature. • Beginning with version 25 (now in beta), Chrome will block add-ons that are installed by third parties and will require the user to specifically enable them. Beginning with version 25 (now in beta), Chrome will block add-ons that are installed by third parties and will require the user to specifically enable them. [img]http://cdn-static.zdnet.com/i/r/story/70/00/010038/ask-toolbar-additions-in-ie9-584x120.png?hash=ZGMxAwyuMJ&upscale=1[/img] And here’s the extra visual aid added in Firefox, which also appears in a prominent window on first run after the installation of the toolbar: [img]http://cdn-static.zdnet.com/i/r/story/70/00/010038/ask-toolbar-additions-in-firefox-609x478.png?hash=AQp0BTDlAJ&upscale=1[/img] These additions to the UI are being added as a bit of social engineering designed to convince the user to override legitimate security settings. (A side note: In Windows 8, Internet Explorer 10 refuses to install the Ask toolbar at all, although it does install with Chrome 24. An error message in the event logs suggests the installer isn't working properly with IE 10.) Interestingly, while Oracle continues to junk up Java with these aggressive installer mechanisms, Adobe has moved the opposite direction over the past year or so. Installing Adobe Flash or Reader for the first time on a Windows PC still includes the option to install third-party software (typically Google Chrome and the Google toolbar for Internet Explorer). But updates are handled automatically in the background. If you enable the Adobe updater, updates just work, with no attempt to install anything other than the updates. Even better, both Google and Microsoft have incorporated Flash into current versions of their browsers (Internet Explorer 10 and all recent releases of Chrome), so that installing a plugin isn’t required. Updates are handled through Windows Update and the Chrome Updater, respectively. The Skype installer, which once offered to install toolbars and add-ons, no longer does so (although it does attempt to change the user's default search engine and home page, a behavior that shouldn't be tolerated). Java’s updater, by contrast, is a mess. It doesn’t work properly with limited user accounts, and as I’ve demonstrated here, it requires user interaction and unethically attempts to push add-ons that no sane Windows user would accept if they knew how that software works. And to add injury to insult, the updater takes its own sweet time notifying you when important security updates are available. As the text in the updater dialog box makes clear, you might have to wait between 7 and 30 days after an update is available before you're notified of it. And then you're forced to initiate the update yourself, avoiding the unwanted software along the way. It's no wonder so many people are running outdated and highly vulnerable Java plugins. I continue to recommend that Windows users avoid installing Java at all, if possible. If you must run it, consider using Ninite to keep it updated in a timely fashion without being annoyed by potentially unwanted software. But for those who aren't aware of options like that, the update process should be fast, accurate, and transparent. Oracle has a responsibility to clean up its act and end its relationship with IAC. [/td][/TR] [/TABLE] [/TD] [/TR] [TR] [TD][B]SOURCE: [/B] [URL]http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/?s_cid=e539[/URL][/TD] [/TR] [/TABLE] Can we drop Java now?
Time to switch to C# I guess.
I really miss Sun Microsystem. Fucking Oracle.
-snip-
[QUOTE=djjkxbox360;39328605]This article isn't true, I've installed plenty of Java updates, and it still allows you to deselect the Ask toolbar, even if it's selected by default[/QUOTE] It still tries to give it to you.
With the recent security flaw in the news, my dad actually called me thinking something was wrong after he updated Java which installed the toolbar. Also, I find every installer that has auto checked the "I want to install a million browser toolbars" checkbox to be disgusting. Should be illegal.
I only update so the annoying ass popup goes away.
I wish stuff like this was illegal
And to people who say "just pay attention to the installer," see this post from the discussion on HN yesterday: Just to tell my experiences on this, I was [I]forced[/I] to install the crapware last week. There was no way for me to uncheck or opt out of the checkbox. I have machines which I connect to that do not have any mouse connected. I have no problem in navigating systems with a keyboard and can run through installers probably quicker than most people with a mouse can, but when this dialog popped up for me, I was stumped for about 10 minutes. I employed every shortcut in my keyboard-shortcut arsenal and fell short. I genuinely felt like this was not just some programming mistake (because the "Next" control was already highlighted waiting for me to hit Enter). It is a dark pattern that was purposefully introduced to their installer to make it impossible for users like me to opt-out of their installer. A consequence of their deception was that they did get a dozen installs from me, but my dislike for Oracle increased tenfold, and in a quiet-protest, I'll make damned sure that I suggest any alternative to an Oracle product when I have reasonable alternatives (Without cutting off my nose to spite my face).
Give it at max a year before such business practices are banned in the EU.
Yay, even more reason for me to not get back into minecraft. Not that I care much, I uncheck the box when I install things that have packaged toolbars, and I always disable automatic updates + notification thereof. [QUOTE=Untouch;39328690]I only update so the annoying ass popup goes away.[/QUOTE] I just disable automatic updates and turn the notifier off entirely. If it works don't fix it.
I constantly have to remove this spyware toolbar from customer's machines simply because it's included by default in an installation of Java. It would be fine if the check box was unchecked by default but it's not. This is a shitty technique to get money from unaware users. It's low and scummy. However I disagree that we should just "drop" using java because it's incredibly useful and important. [editline]23rd January 2013[/editline] [QUOTE=acidcj;39328766]And to people who say "just pay attention to the installer," see this post from the discussion on HN yesterday: Just to tell my experiences on this, I was [I]forced[/I] to install the crapware last week. There was no way for me to uncheck or opt out of the checkbox. I have machines which I connect to that do not have any mouse connected. I have no problem in navigating systems with a keyboard and can run through installers probably quicker than most people with a mouse can, but when this dialog popped up for me, I was stumped for about 10 minutes. I employed every shortcut in my keyboard-shortcut arsenal and fell short. I genuinely felt like this was not just some programming mistake (because the "Next" control was already highlighted waiting for me to hit Enter). It is a dark pattern that was purposefully introduced to their installer to make it impossible for users like me to opt-out of their installer. A consequence of their deception was that they did get a dozen installs from me, but my dislike for Oracle increased tenfold, and in a quiet-protest, I'll make damned sure that I suggest any alternative to an Oracle product when I have reasonable alternatives (Without cutting off my nose to spite my face).[/QUOTE] Spacebar unchecks radio buttons. Just tab and spacebar. Although it wouldn't surprise me if you couldn't disable it without a mouse.
At least it doesn't do that thing where you click next to install the adware and cancel not to, making you think you have to either install it or cancel the whole installation of the program you want.
This has happened to me twice already. If I uncheck the box to make it not install any toolbars, it does it anyways. It shows up in my applications list too. The update notifications are a pain so they were disabled. :L
[QUOTE=Amiga OS;39328624]If only it wasn't proprietary.[/QUOTE] C# is a Open Standard last time I checked. [url=http://www.ecma-international.org/publications/standards/Ecma-334.htm]ECMA-334[/url]. It's the .Net Framework that's proprietary (but there are many parts of it that are Open). But there are other frameworks out there that run C# code that are also Open Source.
I skim read the article before, I thought the argument was that it installed Ask toolbar anyway. But I do agree it should be disabled by default. I'm always very cautious when installing things since I've come across a few installers that do this. µtorrent does it as well, I think it also asks you to install some toolbar (possibly Ask toolbar again) and also check out a free download. It's annoying for people who just want to install something quickly. Other operating systems like Linux and OSX don't have this problem because they don't use install wizards as much or not at all. On Linux there's usually some form of package manager which just installs the application, and on OSX with some (if not most?), you download a file, click the icon and it asks you to drag to the applications folder. There's also the Mac App store now. Windows is lagging behind, still using old wizard installers that allow people to do things like this
i wish apple declared war on java instead of flash (since adobe is already actively trying to kill off their own flash)
I never liked java this just more of a reason to dislike it. Looks like it's just bad management of what is a successful product..
If only developers would stop using java (mojang).
[QUOTE=vexx21322;39329204]If only developers would stop using java (mojang).[/QUOTE] The problem I suppose is the usefulness of Java. It may not be great, but it gets the job done, and history has shown several times over that a such reason is enough for anything new to be disregarded forever.
[QUOTE=Amiga OS;39328624]If only it wasn't proprietary.[/QUOTE] Uh its not, I would say its more "free" (in the libre sense) than Java. Anyone can implement it (it is an ECMA standard after all) and the .NET Framework as they please.
[QUOTE=vexx21322;39329204]If only developers would stop using java (mojang).[/QUOTE] of all the developers that use Java you pick... Mojang? That's such a hilariously minor company to pick on, relatively speaking.
[QUOTE=vexx21322;39329204]If only developers would stop using java (mojang).[/QUOTE] every built-in app on android runs off java
[QUOTE=viperfan7;39328737]I wish stuff like this was illegal[/QUOTE] I can understand them asking, but the fact it waits 10 mins before it installs sounds like how spyware works.
[QUOTE=vexx21322;39329204]If only developers would stop using java (mojang).[/QUOTE] there isn't anything wrong with java, but there are things that are wrong with certain implementations
this and many of the other security holes in Java are why i have it completely and totally disabled on Chrome. not only does it leak enough memory to power Minsk for a year, it's also incredibly easy to infect people via it.
[QUOTE=FlubberNugget;39329431]there isn't anything wrong with java, but there are things that are wrong with certain implementations[/QUOTE] Completely agree, you never hear people calling for C# etc to be avoided because of issues with the dotnet framework (which there have been).
I'd comply with this, but I got a Java class I gotta do. Thing is, Java is already put into society so well that it's going to be very, very hard to get them away from this stupid tactic, because they know that EVERYONE uses it and they aren't going to drop it until it probably becomes illegal. It would take something at the scale of the SOPA protest to probably get a response from Oracle and/or the government otherwise. Well, probably not the government. It depends, really.
Just set it to auto-update.
[QUOTE=meppers;39329344]every built-in app on android runs off java[/QUOTE] The Android Java isn't the same though. It's not an Oracle product.
Sorry, you need to Log In to post a reply to this thread.