A close look at how Oracle installs deceptive software with Java updates

A close look at how Oracle installs deceptive software with Java updates

Summary: Oracle's Java plugin for browsers is a notoriously insecure product. Over the past 18 months, the company has released 11 updates, six of them containing critical security fixes. With each update, Java actively tries to install unwanted software. Here's what it does, and why it has to stop.

SHARE:

Congratulations, Oracle.

Java is the new king of foistware, displacing Adobe and Skype from the top of the heap.

And it earned that place with a combination of software update practices that are among the most user-hostile and cynical in the industry.

In coordination with Ben Edelman, an expert on deceptive advertising, spyware and adware, I've been looking at how Oracle delivers Java to its customers and who it has chosen to partner with. The evidence against Oracle is overwhelming. 

Specifically:

  • When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
  • With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naïve enough to trust Java’s “recommendation,” you end up with unwanted software on your PC.
  • IAC, which partners with Oracle to deliver the Ask toolbar, uses deceptive techniques to install its software. These techniques include social engineering that appears to be aimed at both novices and experienced computer users, behavior that may well be illegal in some jurisdictions.
  • The Ask.com search page delivers inferior search results and uses misleading and possibly illegal techniques to deceive visitors into clicking paid ads instead of organic search results.

I’ve spent the past weekend installing and updating Java on an assortment of physical and virtual test PCs to see exactly how the Java updater works.

Here’s what I found.

When you install Java on a Windows PC for the first time, the installer includes this step, which I’ve previously documented:

Notice how the check box for that Ask toolbar is selected already. If you click Next or press Enter, that toolbar is installed into Internet Explorer, Chrome, and Firefox.

But surely you can just clear that checkbox, continue, and move on. Right?

Well, yes. Until there’s an important security update, which happens with depressing regularity to the Java browser plugin. (There have been 11 updates to Java SE 7, including six that fixed critical security issues, in the 18 months since its initial release.) Java’s updater forces the user to go through the same installation process, with the same pre-selected option to install unwanted software.

The reason, of course, is money: Oracle collects a commission every time that toolbar gets installed. And the Ask installer goes out of its way to hide its workings.

As I confirmed in my testing, when you update Java and simply click or press Enter to accept the default settings, the Java updater completes its installation first and displays this result:

java-update-complete

That dialog box is not telling the truth.

In the background, the Ask toolbar installer continues to run, but it delays execution for 10 minutes. If you are a sophisticated Windows user and you missed the initial checkbox, your natural instinct at this point would be to open Control Panel and check Programs and Features. When you do, you will see that only the Java update has been installed. You might also check your browser settings to confirm that no changes have been made to your settings. You might conclude that you dodged a bullet and that the unwanted software wasn’t installed.

But you would be wrong. The Ask installer is still running, and after waiting 10 minutes, it drops two programs on the target system.

The only indication that this installer is running is a brief flash of the mouse pointer. A check of the Windows event logs shows that the installer completed its activity exactly 10 minutes after the Java installer finished, and the two Ask modules show up in the list of installed programs.

java-update-adds-ask-toolbars

I’ve never seen a legitimate program with an installer that behaves this way. But spyware expert Ben Edelman notes that in the early part of the last decade this trick was business as usual for companies in the business of installing deceptive software. That list includes notorious bad actors like WhenU, Gator, and Claria.

In a new post, Edelman thoroughly analyzes the Ask toolbar and breaks down the deceptive behavior that the toolbar itself is associated with:

  • The Ask toolbar “takes over default search, address bar search, and error handling.” As Edelman notes, “That's an intrusive set of changes, and particularly undesirable in light of the poor quality of IAC's search results.”
  • If you use the toolbar’s search box, you’re sent to “an IAC Mywebsearch results page with advertisements and search results syndicated from Google [with] listings that are intentionally less useful -- focused primarily on IAC's business interest in encouraging the user to click extra advertisements.”
  • Unlike a Google search page, ads at IAC Mywebsearch lack “distinctive background color to help users distinguish ads from algorithmic results. Furthermore, IAC's voluminous ads fill the entirety of the first screen of results for many searches. A user familiar with Google would expect ads to have a distinctive background color and would know that ads typically stop after at most one screen … the user might well conclude that these are algorithmic listings rather than paid advertisements.”
  • The ads on the Mywebsearch pages ignore standard industry practice and Google rules and make the entire ad clickable, “including domain name, ad text, and large whitespace … IAC's search result pages expand the clickable area of each advertisement to fill the entire page width, sharply increasing the fraction of the page where a click will be interpreted as a request to visit the advertiser's page.”

This is sleazy stuff. If you have installed this software, it affects searches you run from the address bar in any browser, including Chrome. Installing the Java update on my main PC hijacked the default search provider in Chrome 24 (the current version) and redirected searches from the Google omnibox (the address bar) to Ask.com. At no point was I asked for permission to make these changes to the settings in Chrome. (A reasonable person would not conclude that clicking "Next" in a dialog box to install an update has the same legal effect as "I agree" to a set of license terms.)

search-settings-changed-in-chrome-no-consent

The Ask search results for the title of my new book included seven ads at the top of the page, with background color and visual styles that were indistinguishable from web search results. Three of those ads were for deceptive or misleading "PC fix-it services" or software. One ad, ironically, offered an unauthorized download of the free Microsoft Security Essentials that included its own adware bundle.

The actual result I was looking for was in the seventh position under the Ask web search results. The same search at Google.com included only one clearly labeled ad, and the best search result was in the third position in results. The screen below shows the ugly Ask toolbar and the Ask icon at the top of the Chrome window. Both were installed without informed consent and with no warning except the original misleading dialog box in the Java updater.

ask-search-results-in-chrome

Uninstalling the Ask toolbar does not restore the previous search settings in Chrome 24. You have to make that change manually.

The good news is that browser makers collectively are making it more difficult for toolbars like this to be installed and enabled inadvertently.

  • Beginning with Internet Explorer 9, new toolbars and other add-ons are disabled by default. You must specifically enable them before they’re active.
  • Mozilla Firefox has a similar add-on approval feature.
  • Beginning with version 25 (now in beta), Chrome will block add-ons that are installed by third parties and will require the user to specifically enable them.

The Ask toolbar installer takes these defensive measures into account and uses social engineering to try to convince the user to enable the add-ons. It does this by adding its own messages along with the system messages. Here’s what you see in Internet Explorer, for example, the first time you open the browser after the toolbar is installed:

ask-toolbar-additions-in-IE9

And here’s the extra visual aid added in Firefox, which also appears in a prominent window on first run after the installation of the toolbar:

ask-toolbar-additions-in-Firefox

These additions to the UI are being added as a bit of social engineering designed to convince the user to override legitimate security settings.

(A side note: In Windows 8, Internet Explorer 10 refuses to install the Ask toolbar at all, although it does install with Chrome 24. An error message in the event logs suggests the installer isn't working properly with IE 10.)

Interestingly, while Oracle continues to junk up Java with these aggressive installer mechanisms, Adobe has moved the opposite direction over the past year or so.

Installing Adobe Flash or Reader for the first time on a Windows PC still includes the option to install third-party software (typically Google Chrome and the Google toolbar for Internet Explorer). But updates are handled automatically in the background. If you enable the Adobe updater, updates just work, with no attempt to install anything other than the updates.

Even better, both Google and Microsoft have incorporated Flash into current versions of their browsers (Internet Explorer 10 and all recent releases of Chrome), so that installing a plugin isn’t required. Updates are handled through Windows Update and the Chrome Updater, respectively.

The Skype installer, which once offered to install toolbars and add-ons, no longer does so (although it does attempt to change the user's default search engine and home page, a behavior that shouldn't be tolerated).

Java’s updater, by contrast, is a mess. It doesn’t work properly with limited user accounts, and as I’ve demonstrated here, it requires user interaction and unethically attempts to push add-ons that no sane Windows user would accept if they knew how that software works.

And to add injury to insult, the updater takes its own sweet time notifying you when important security updates are available. As the text in the updater dialog box makes clear, you might have to wait between 7 and 30 days after an update is available before you're notified of it. And then you're forced to initiate the update yourself, avoiding the unwanted software along the way. It's no wonder so many people are running outdated and highly vulnerable Java plugins.

I continue to recommend that Windows users avoid installing Java at all, if possible. If you must run it, consider using Ninite to keep it updated in a timely fashion without being annoyed by potentially unwanted software. But for those who aren't aware of options like that, the update process should be fast, accurate, and transparent. Oracle has a responsibility to clean up its act and end its relationship with IAC.

Topics: Enterprise Software, Browser, Oracle, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

164 comments
Log in or register to join the discussion
  • Larry needs the crapware revenue

    Do you know how expensive it is to buy islands and super yachts?
    hubivedder
    • Insures I never consider McAfee as my anti virus probram or firewall

      Very aggravating!!!
      DaveW
      gingoro
      • Bad publicity for McAfee

        ... yes you're right! After I had to uninstall the McAfee crap-ware forced on all machines across my organization, I have such a bad taste in my mouth about that brand that I would never touch it with a 10ft pole, and I'm always sure to recommend against it when people ask me about AV options. Yes McAfee gets subscriptiosn this way, but it is not a long term strategy for sustainability and brand confidence & brand building.
        jennyn
      • Lets petition Oracle to stop this practice!

        As a Java developer I am frustrated by this scam that is ruining Java's reputation. So I start this petition to stop bundling adwares with Java:

        https://www.change.org/petitions/oracle-corporation-stop-bundling-ask-toolbar-with-the-java-installer

        If you agree that Oracle should remove Ask Toolbar from Java please sign this petition.
        Saeid Nourian
    • Boo Diddly Hoo

      Hahahaha... you really think the readers of this site are idiots!! hahahaha... good one.

      Once again it's TOO GOOD TO BE TRUE that you only just discovered this.

      This article stinks like CASH for comments. Reads more like a subtle Google Ad bashing Ask, than anything to do with Ask at all.

      Ed, after 20 years of writing, you're still stuck in 1980 where people cared about stuff like this. It's 2012 where we hand ALL of our private data to Google EVERY time we send or receive and email, data which is aggregated and sold for billions of dollars.

      Anyone who's used a computer more than 5 minutes knows toolbars are installed IN YOUR BROWSER, or maybe journalists are retarded when using computers.

      "I’ve never seen a legitimate program with an installer that behaves this way." - For a IT writer this scares me you've never installed software yourself. Millions of programs do this.

      You WANT java for free, but don't want to pay in other ways, yet you're happy with Google desktop pumping all your computer usage and installled programs and other information back to Google HQ?

      FULL DISCLOSURE PLEASE.
      dawesi
      • Seriously

        Millions of programs pause the installer, and don't actually install until 10 minutes after it says it was successfully installed? I agree with Ed. I've never seen another program do that.
        dpeters11
      • Google is doing much the same thing

        Every Flash Update still has a Chrome install ticked to catch the unwary, which probably explains their usage numbers. It certainly worked with a couple of my friends who needed to have IE put back.

        It's the old Trojan Horse gambit
        Tony_McS
        • Google is doing much the same thing ... but

          While I don't approve of the tactic in general, I wouldn't mind receiving Chrome on the side. Chrome is an excellent security update for IE and its flash plugin. Anyhow, this is just theory for me. I normally use Linux, where this kind of thing is absolutely unacceptable. If Debian shipped spamware it would cause an uproar!
          Sam Watkins
          • doesnt happen on linux?

            by default ubuntu sends all your personal desktop searches to amazon. its not 3rd parties software you have to worry about its your OS.

            nothing is stopping 3rd party companies from doing the same thing on linux. if linux had the market share of windows you would see the exact same thing happening.
            soxnumber24@...
      • Thank you.

        ASK.com, pls go
        shiggidy
      • Dawesi must work for Oracle

        This crap software is like drive by downloads we all love (malware and crap software) and how much a pain in the ass it is to uninstall and get rid of. Ask is crap software and has no real purpose but to slow down your devices. Dawesi its crap software from a greedy ass company
        Rhett Dudley
    • Thanks for this article

      I just wiped and reloaded a laptop suffering a nervous breakdown because of this situation. The thing took 5 minutes to boot afterwards applications would time-out and crash either loading or running. If I could stop the services in msconfig, they'd magically restart themselves after these "updates" were performed.

      The evil McAfee was installed, Ask, some ValueAd thing and several others. If Java is that vulnerable and needs hackers to beta test it prompting a weekly update, why still use it? Keep it in the embedded world.
      Rodger Bartlett
  • Hah, installed update 11 just a couple days ago..

    .. and it was after quite a long time I was updating, so when I saw the recommendation to install the Ask toolbar, I went "what the hell, why does Oracle need to add these things in the Java installer?" I understand they have to make money but really, not sure I expect this from a company like Oracle.

    Oh well, unticked Ask option, so all is well. :X
    addicted2088
    • Um, not really

      When you get a critical patch to Java, you will get a stealth Ask install.

      Did you actually read the article above, or just the first paragraph?
      Non-Euclidean
      • There is no "Stealth" install

        There is nothing stealth about a box that says "install ask toolbar and make it the default search engine". If you don't want it, simply uncheck the box.

        People need to take responsiblity for their installation practices. Clicking on "next" as fast as you can through an install without reading the characters on the screen is just plain lazy.
        doncraw
        • Did you not read it?

          It installs with the updater if you don't hold it's hand through the install. It's not a next as fast as you can thing. If you click "recommended settings" or whatever it's called it installs the toolbar. I'm glad that the browsers are beginning to no longer respond to those stupid things though.
          SteveLynch
        • People need to take responsiblity for their installation practices

          Yes u r correct
          Rahul Sharma123
        • So you like to read?

          Do you always read all the text when you install software? If so, do you ever get anything done?

          (I don't see how Ask is related to Java. I need Java for my internet banking. A new toolbar in my browser? Forget about it! It's incredibly rude and totally unprofessional. Not to mention confusing for novice users.)
          evahovelsrod
    • Well, Some of us DO expect it out of Larry...

      since he is so incredibly arrogant.
      mejohnsn
  • Java's main market these days

    Is enterprise architecture. I'm not exactly sure what Oracle is thinking, but you don't ingratiate your customers by trying to install crapware on their servers! (Where it serves little use anyways. Who surfs from a Web server?)
    Mac_PC_FenceSitter