Updated: Ed Bott Crowns Java the New "Foistware" King

On top of repeated security breaches to the Java browser plug-in, the long-established practice of including unrelated browser add-ons with the Java runtime installer is giving end-users another reason to avoid the Java platform.

In late 2005 Sun began bundling the Google toolbar with the Java runtime installer. Three years later the firm did a deal with Microsoft to include the MSN Toolbar, and then, in 2008 switched to bundling Yahoo. These days when you install the JRE on a Windows PC, the installer asks you to install the “Ask” search-engine toolbar into Internet Explorer, Chrome and Firefox. It also makes Ask your default search provider. You can opt-out by unchecking a box, though the installer won't remember your choice. As a consequence each time you install an update to, say, deal with another security issue, you need to remember to opt out again.

This is mildly irritating, but there's more. When you see this page on the installer

it would seem reasonable to conclude that the Ask toolbar has been installed. Should this have been unintentional, you might head straight to Control Panel to remove it - if you try this though, you'll find it isn't listed. The instructions link on the final dialog above doesn't provide any information on this (it relates only to Java), but it turns out that Ask's installer waits 10 minutes before running, and only after that will the toolbar be available in the program list. The only explanation I can think of for this is that it is intended to make it more difficult for users to uninstall the program, though Andrew Moers, President of the Ask Partner Network told InfoQ "this to ensure the JRE updates properly load without additional strain on a user's computer. This is not intended to trick users and is not a defining characteristic of the Ask product overall." Ed Bott disagrees. Writing in ZDNet he says, "I've never seen a legitimate program with an installer that behaves this way."

In my tests, I also had the uninstaller fail on one Windows 7 instance and had to resort to using a separate utility from here. I was surprised to find that if you do wait 10 minutes and then remove the program, the uninstaller fails to restore your default search engine back to whatever it was before you installed the add-on. Moers pointed out that the uninstall process is industry standard

Every major player (AOL, Google, Microsoft, Yahoo) follows this practice given that an uninstall has not been defined as official user consent to revert their settings. That said, the industry is quickly evolving. We're working closely with partners and policy makers to implement changes, such as providing notification of a user's current default settings when they uninstall the toolbar, as well as easily accessible, step-by-step instructions to change those settings.

Bott has been a long-term critic of "foistware", previously crowning Adobe and Skype as the worst offenders. But over the past year Adobe and Skype have improved slightly, and Bott now believes that Java deserves the crown.

The evidence against Oracle is overwhelming. Specially:

• When you use Java's automatic updater to install crucial security updates for Windows, third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
• With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naïve enough to trust Java's "recommendation", you end up with unwanted software on your PC.
• IAC, which partners with Oracle to deliver the Ask toolbar, uses deceptive techniques to install its software. These techniques include social engineering that appears to be aimed at both novices and experienced computer users, behavior that may well be illegal in some jurisdictions.
• The Ask.com search page delivers inferior search results and uses misleading and possibly illegal techniques to deceive visitors into clicking paid ads instead of organic search results.

Harvard professor Ben Edelman, who studies deceptive software practices, has provided an extensive analysis of the Ask toolbar. He concludes

It is troubling to see Oracle profit from this security flaw by using a security update as an opportunity to push users to install extra advertising software. Java's many security problems make bundled installs all the worse: I've received a new Ask installation prompts with each of Java's many security updates. (Ed Bott counts 11 over the last 18 months.) Even if the user had declined IAC's offer on half a dozen prior requests, Oracle persists on asking -- and a single slip-up, just one click or keystroke on the tenth request, will nonetheless deliver Ask's toolbar.

A security update should never serve as an opportunity to push additional software. As Oracle knows all too well from its recent security problems, users urgently need software updates to fix serious vulnerabilities. By bundling advertising software with security updates, Oracle teaches users to distrust security updates, deterring users from installing updates from both Oracle and others. Meanwhile, by making the update process slower and more intrusive, Oracle reduces the likelihood that users will successfully patch their computers. Instead, Oracle should make the update process as quick and easy as possible -- eliminating unnecessary steps and showing users that security updates are quick and trouble-free.

The development of Java has to be paid for somehow and installing unwanted toolbars is almost certainly big business with an install base the size of Java's. But it isn't desirable behavior. With even the mainstream press (one, two, three) urging users to disable Java on the back of recent US Department of Homeland Security recommendations, this practice gives users another reason to gripe.

Updated: This post was updated on the 24th January following a response to queries from Ask.com. Oracle were also approached but declined to comment.