Skip to main content
Customer Support Customer Support
Solved

A close look at how Oracle installs deceptive software with Java updates

  • January 22, 2013
  • 17 replies
  • 10 views
RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
Summary: Oracle's Java plugin for browsers is a notoriously insecure product. Over the past 18 months, the company has released 11 updates, six of them containing critical security fixes. With each update, Java actively tries to install unwanted software. Here's what it does, and why it has to stop.
 
Congratulations, Oracle.
Java is the new king of foistware, displacing Adobe and Skype from the top of the heap.
And it earned that place with a combination of software update practices that are among the most user-hostile and cynical in the industry.
In coordination with Ben Edelman, an expert on deceptive advertising, spyware and adware, I've been looking at how Oracle delivers Java to its customers and who it has chosen to partner with. The evidence against Oracle is overwhelming.
Specifically:
  • When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
  • With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naïve enough to trust Java’s “recommendation,” you end up with unwanted software on your PC.
  • IAC, which partners with Oracle to deliver the Ask toolbar, uses deceptive techniques to install its software. These techniques include social engineering that appears to be aimed at both novices and experienced computer users, behavior that may well be illegal in some jurisdictions.
  • The Ask.com search page delivers inferior search results and uses misleading and possibly illegal techniques to deceive visitors into clicking paid ads instead of organic search results.
I’ve spent the past weekend installing and updating Java on an assortment of physical and virtual test PCs to see exactly how the Java updater works.
 
 
Full Article
 
TH

Best answer by RetiredTripleHelix

Thanks PTD and David but it's really sad. "Over the past 18 months, the company has released 11 updates, six of them containing critical security fixes." Most of the Internet speed test I do now have converted to Flash from Java so if they don't get on top of this they will lose allot of shares and now with added crapware like ASK even though when I update I download the installers 32bit & 64bit for my Win 7 64bit system and uncheck the crapware boxes during install. :@
 
TH
    ProTruckDriver
    cohbraz
    shorTcircuiT

    17 replies

    ProTruckDriver
    Moderator
    Thanks TH for the post. Interesting read. 😉
    Mac Mini, M-4, 24 GB Memory, 1 TB SSD, macOS Sequoia 15.7.3 Satechi Stand and Hub with SSD Enclosure~Backup with: Time Machine, iCloud & Portable SSD. PWM: RoboForm. 👁¿👁 Spam Annihilater 👁¿👁
    ProTruckDriver
    RetiredTripleHelix
    TripleHelix
    shorTcircuiT
    Gold VIP
    • shorTcircuiT
    • Gold VIP
    • January 22, 2013
    Very interesting information TH.. Thank you!  I was not at all aware of the inclusion of 3rd party software during the automatic update process, as I dont use it.  I have seen the need to opt out of the 3rd party software when installing or manually updating.
     
    The bad thing is, Ask is the abolute last resort search for me ( I think I have used it once in the last year..) and I am not a very big fan of McAfee either.
     
    I had been seriously considering turning the automatic updates ON for a few weeks as the recently found bugs are worked out, but I am thinking now that I will leave it OFF.
    RetiredTripleHelix
    RetiredTripleHelix
    Gold VIP
    Forum|alt.badge.img+56
    Thanks PTD and David but it's really sad. "Over the past 18 months, the company has released 11 updates, six of them containing critical security fixes." Most of the Internet speed test I do now have converted to Flash from Java so if they don't get on top of this they will lose allot of shares and now with added crapware like ASK even though when I update I download the installers 32bit & 64bit for my Win 7 64bit system and uncheck the crapware boxes during install. :@
     
    TH
    ProTruckDriver
    explanoit
    Silver VIP
    Forum|alt.badge.img+6
    • explanoit
    • Silver VIP
    • January 23, 2013
    I asked@Webroot to add this crap to the detection rules but since you can uncheck it they don't consider it PUP.
    ---------------------------------------- Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester Find me on Twitter!
    cohbraz
    Community Leader
    • cohbraz
    • Community Leader
    • January 23, 2013
    Thanks TH. While I knew that Java had more holes than the Dallas Cowboys defense, I did not know that it installed the 3rd party software on it's regular updates. That is strange though because I have never seen the Ask toolbar or the McAfee security scanner and I am fairly certain that I have received some of these updates automatically.

    Time to inspect my file system!
    JimM
    • JimM
    • Retired Webrooter
    • January 23, 2013
    Corey, as a Cowboys fan, I am going to remove two of your posts and knock you back down to Frequent Voice. :P

    just kidding
    /// JimM /// /// Former Community Manager - Now Humble Internet Citizen/// /// Also Formerly a Technical Support Escalations Engineer ///
    RetiredTripleHelix
    pegas
    Gold VIP
    • pegas
    • Gold VIP
    • January 24, 2013
    @ wrote:
    Thanks TH. While I knew that Java had more holes than the Dallas Cowboys defense, I did not know that it installed the 3rd party software on it's regular updates. That is strange though because I have never seen the Ask toolbar or the McAfee security scanner and I am fairly certain that I have received some of these updates automatically.

    Time to inspect my file system!
    I have to agree with cohbraz. I was auto updating Java for the past years and never received the 3rd party applications. Anyway I disabled auto update after the latest Java vulnerabilities.
    pegas
    Gold VIP
    • pegas
    • Gold VIP
    • January 24, 2013
    @ wrote:
    Corey, as a Cowboys fan, I am going to remove two of your posts and knock you back down to Frequent Voice. :P

    just kidding
    Jim and what about me being a fan of Dallas Stars where the Czech fellow Jaromir Jagr shines http://sports.yahoo.com/news/nhl--old-man-and-the-stars--jaromir-jagr-embraces-leading-role-in-dallas-194920889.html 
     
    Will I be demoted back to Frequent Voice or rather promoted to Sr. Community Guide? :D
    JimM
    pegas
    Gold VIP
    • pegas
    • Gold VIP
    • January 30, 2013
    @ wrote:
    @ wrote:
    Corey, as a Cowboys fan, I am going to remove two of your posts and knock you back down to Frequent Voice. :P

    just kidding
    Jim and what about me being a fan of Dallas Stars where the Czech fellow Jaromir Jagr shines http://sports.yahoo.com/news/nhl--old-man-and-the-stars--jaromir-jagr-embraces-leading-role-in-dallas-194920889.html 
     
    Will I be demoted back to Frequent Voice or rather promoted to Sr. Community Guide? :D
    @ JimM
    That's great you're a fan of Dallas Stars :D ;)
    JimM
    • JimM
    • Retired Webrooter
    • January 30, 2013
    LOL I think you earned that rank!

    Actually yes, I am a longtime Stars fan though. I lived in Dallas back when they moved from Minnesota. I remember the Modano days. I'm more of an AV's fan now, but I still like the Stars.
    /// JimM /// /// Former Community Manager - Now Humble Internet Citizen/// /// Also Formerly a Technical Support Escalations Engineer ///
    pegas
    RWM
    Community Leader
    • RWM
    • Community Leader
    • February 20, 2013
    Correct me if I'm wrong, but wasn't Java founded by Sun Microsystems?  I used to own the stock.
     
    As for Larry Ellison, the CEO of Oracle, he's one of the richest men in the world...reputedly No. 6 and worth about $41 billion dollars.  Unlike Gates and Buffet, he doesn't seem to give much of it away, so his numbers keep skyrocketing.  😠
    shorTcircuiT
    Gold VIP
    • shorTcircuiT
    • Gold VIP
    • February 20, 2013
    Sun did.. you are correct.

    Oracle bought them out. 🙂
    cohbraz
    Community Leader
    • cohbraz
    • Community Leader
    • February 20, 2013
    @ wrote:

    Actually yes, I am a longtime Stars fan though.
    One word: Carolina Hurricanes!!!
    RWM
    Community Leader
    • RWM
    • Community Leader
    • February 20, 2013
    @DavidP wrote:
    Sun did.. you are correct.

    Oracle bought them out. :)
    Shame.  I liked SUNW when it was SUNW.  I followed it religiously and traded it actively.:p
     
    Don't like it so much now that Oracle acquired it.  Ellison is not a fan of mine.  😠
    remixedcat
    Community Leader
    Forum|alt.badge.img+26
    • remixedcat
    • Community Leader
    • April 4, 2013
    The only java I really wanna have anything to do with comes in a cup. 
     
    Sadly 2 jobs need it :( 
    JimM
    Trooper
    New Member
    • Trooper
    • New Member
    • April 4, 2013
    Same for me.  I do not use java at all.  In fact, I tell people to either not install it or if they have it installed, to uninstall it.
    pegas
    Gold VIP
    • pegas
    • Gold VIP
    • April 5, 2013
    @ wrote:
    Same for me.  I do not use java at all.  In fact, I tell people to either not install it or if they have it installed, to uninstall it.
    Had not been Java needed for my banking, it wouldn't be on my PC anymore. Unfortunately, we, users are forced to use Java because a lot of solutions stand on Java environment (they boast about 3 billion users across all platforms, i.e. mobile, PC etc.).
    Terms & ConditionsAccessibility statement