BT
x Your opinion matters! Please fill in the InfoQ Survey about your reading habits!

Updated: Ed Bott Crowns Java the New "Foistware" King

by Charles Humble on Jan 23, 2013 |

On top of repeated security breaches to the Java browser plug-in, the long-established practice of including unrelated browser add-ons with the Java runtime installer is giving end-users another reason to avoid the Java platform.

In late 2005 Sun began bundling the Google toolbar with the Java runtime installer. Three years later the firm did a deal with Microsoft to include the MSN Toolbar, and then, in 2008 switched to bundling Yahoo. These days when you install the JRE on a Windows PC, the installer asks you to install the “Ask” search-engine toolbar into Internet Explorer, Chrome and Firefox. It also makes Ask your default search provider. You can opt-out by unchecking a box, though the installer won't remember your choice. As a consequence each time you install an update to, say, deal with another security issue, you need to remember to opt out again.

This is mildly irritating, but there's more. When you see this page on the installer

Jana and Ask Installed

it would seem reasonable to conclude that the Ask toolbar has been installed. Should this have been unintentional, you might head straight to Control Panel to remove it - if you try this though, you'll find it isn't listed. The instructions link on the final dialog above doesn't provide any information on this (it relates only to Java), but it turns out that Ask's installer waits 10 minutes before running, and only after that will the toolbar be available in the program list. The only explanation I can think of for this is that it is intended to make it more difficult for users to uninstall the program, though Andrew Moers, President of the Ask Partner Network told InfoQ "this to ensure the JRE updates properly load without additional strain on a user's computer. This is not intended to trick users and is not a defining characteristic of the Ask product overall." Ed Bott disagrees. Writing in ZDNet he says, "I've never seen a legitimate program with an installer that behaves this way."

In my tests, I also had the uninstaller fail on one Windows 7 instance and had to resort to using a separate utility from here. I was surprised to find that if you do wait 10 minutes and then remove the program, the uninstaller fails to restore your default search engine back to whatever it was before you installed the add-on. Moers pointed out that the uninstall process is industry standard

Every major player (AOL, Google, Microsoft, Yahoo) follows this practice given that an uninstall has not been defined as official user consent to revert their settings. That said, the industry is quickly evolving. We're working closely with partners and policy makers to implement changes, such as providing notification of a user's current default settings when they uninstall the toolbar, as well as easily accessible, step-by-step instructions to change those settings.

Bott has been a long-term critic of "foistware", previously crowning Adobe and Skype as the worst offenders. But over the past year Adobe and Skype have improved slightly, and Bott now believes that Java deserves the crown.

The evidence against Oracle is overwhelming. Specially:
  • When you use Java's automatic updater to install crucial security updates for Windows, third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
  • With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naïve enough to trust Java's "recommendation", you end up with unwanted software on your PC.
  • IAC, which partners with Oracle to deliver the Ask toolbar, uses deceptive techniques to install its software. These techniques include social engineering that appears to be aimed at both novices and experienced computer users, behavior that may well be illegal in some jurisdictions.
  • The Ask.com search page delivers inferior search results and uses misleading and possibly illegal techniques to deceive visitors into clicking paid ads instead of organic search results.

Harvard professor Ben Edelman, who studies deceptive software practices, has provided an extensive analysis of the Ask toolbar. He concludes

It is troubling to see Oracle profit from this security flaw by using a security update as an opportunity to push users to install extra advertising software. Java's many security problems make bundled installs all the worse: I've received a new Ask installation prompts with each of Java's many security updates. (Ed Bott counts 11 over the last 18 months.) Even if the user had declined IAC's offer on half a dozen prior requests, Oracle persists on asking -- and a single slip-up, just one click or keystroke on the tenth request, will nonetheless deliver Ask's toolbar.

A security update should never serve as an opportunity to push additional software. As Oracle knows all too well from its recent security problems, users urgently need software updates to fix serious vulnerabilities. By bundling advertising software with security updates, Oracle teaches users to distrust security updates, deterring users from installing updates from both Oracle and others. Meanwhile, by making the update process slower and more intrusive, Oracle reduces the likelihood that users will successfully patch their computers. Instead, Oracle should make the update process as quick and easy as possible -- eliminating unnecessary steps and showing users that security updates are quick and trouble-free.

The development of Java has to be paid for somehow and installing unwanted toolbars is almost certainly big business with an install base the size of Java's. But it isn't desirable behavior. With even the mainstream press (one, two, three) urging users to disable Java on the back of recent US Department of Homeland Security recommendations, this practice gives users another reason to gripe.

Updated: This post was updated on the 24th January following a response to queries from Ask.com. Oracle were also approached but declined to comment.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

"The development of Java has to be paid for somehow" by Tudor Stefanescu

"The development of Java has to be paid for somehow" - or they could just free the validation suite for Java and let others create standard Java distributions if "the development of Java" is to expensive for Oracle. Even then they could profit from their Java experience with a business model similar to that of ActiveState... Oracle just sucks.

Oracle vs the world by Giorgio Migliaccio

I know that the Java browser plug-in is not 'Java' as recently mentioned too often in the media, but most people don't know, and most 'popular' journalists do neither.
This unfortunately leads to the event that the general public and probably even IT decision makers, will dislike Java and try to get rid of it.
The slow progress of developments, the alarming security holes, the packaging of ad-ware in a platform runtime installer(!) and generally the fact that Oracle doesn't take Java and its users too serious, might lead to a massive dislike and abandonment of the environment, giving Oracle even less reasons to invest into Java and its community.
Now there are major companies depending on Java...IBM, Oracle, Google and even organisations like NASA and so on.
So for server-side solutions probably, not much will change that fast.
There are still other Java runtimes available, like OpenJDK, IBM's,... but they are far from being accessible to the general public, let alone be 100% compatible to the same 'Java-standard', so existing applications might start behaving odd.
But the voice and number of the general public can be very decisive.
If Oracle and Java keep on messing up, they'll lose all credibility,that I think that eventually other companies will benefit, being MS (.NET), Google or even others...

Oracle on Java Security and Communication by Reza Rahman

The lead for Oracle Security Martin Smith and Doland Smith from the OpenJDK team had a conference call with worlwide JUG leaders. The recordings of the meeting is available here: java.net/projects/jugs/downloads/download/Jan24.... This was a frank two-way discussion with Java community leaders about Java security, bundled software installers, openness, communication and the technical/journalistic quality of recent press coverage in some venues. As Donald and Martin indicate on the call, we can expect this to be the tip of the iceberg of what will be done on the Java Security and communication fronts.

As to the cadence of Java releases, Steve Harris has recently talked about having releases every other year: www.computerworld.com/s/article/9235638/Java_pu....

All views voiced are my own, not necessarily Oracle's.

Re: Oracle on Java Security and Communication by Charles Humble

Thanks for sharing this call audio Reza.

...and the technical/journalistic quality of recent press coverage in some venues.


I'm going to venture a personal opinion on this. I agree that some of the press coverage has been loose (I hope InfoQ's isn't - we try very hard to avoid this). As an example most the recent exploits go through the Java plug-in so uninstalling Java (as opposed to just disabling the plug-in) is probably over the top. But I suspect that this is at least partly a consequence of Oracle's policy of not commenting to the press on security matters (or, honestly, anything much outside of choreographed press events). We saw a similar thing with the negative press stories that circulated in the first year or so after the acquisition where Oracle wouldn't clarify intentions. Having covered Java both before and after Oracle was running the show it is one of the most notable differences from a press perspective. There may be all sorts of reasons why Oracle acts this way, and of course there is a balance to be struck, but my own view is that not answering press queries is doing Java's reputation more harm than good.

Re: Oracle on Java Security and Communication by Reza Rahman

This will probably not surprise you much, but I agree with you that there is much to be desired in terms of Oracle's relationship with the press. Like all large companies, Oracle has it's idiosynchracies. As is indicated on the call, that is something that there is good internal awareness of, at least at the moment. I suggest providing Oracle open, constructive feedback on what it can do better (as you just have).
All views voiced are my own, not necessarily Oracle's.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

5 Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT