A close look at how Oracle installs deceptive software with Java updates
Oracle's Java plugin for browsers is a notoriously insecure product. Over the past 18 months, the company has released 11 updates, six of them containing critical security fixes. With each update, Java actively tries to install unwanted software. Here's what it does, and why it has to stop.
Java is the new king of foistware, displacing Adobe and Skype from the top of the heap.
And it earned that place with a combination of software update practices that are among the most user-hostile and cynical in the industry.
In coordination with Ben Edelman, an expert on deceptive advertising, spyware and adware, I've been looking at how Oracle delivers Java to its customers and who it has chosen to partner with. The evidence against Oracle is overwhelming.
When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naïve enough to trust Java’s “recommendation,” you end up with unwanted software on your PC.
IAC, which partners with Oracle to deliver the Ask toolbar, uses deceptive techniques to install its software. These techniques include social engineering that appears to be aimed at both novices and experienced computer users, behavior that may well be illegal in some jurisdictions.
The Ask.com search page delivers inferior search results and uses misleading and possibly illegal techniques to deceive visitors into clicking paid ads instead of organic search results.
I’ve spent the past weekend installing and updating Java on an assortment of physical and virtual test PCs to see exactly how the Java updater works.
Here’s what I found.
When you install Java on a Windows PC for the first time, the installer includes this step, which I’ve previously documented:
Notice how the check box for that Ask toolbar is selected already. If you click Next or press Enter, that toolbar is installed into Internet Explorer, Chrome, and Firefox.
But surely you can just clear that checkbox, continue, and move on. Right?
Well, yes. Until there’s an important security update, which happens with depressing regularity to the Java browser plugin. (There have been 11 updates to Java SE 7, including six that fixed critical security issues, in the 18 months since its initial release.) Java’s updater forces the user to go through the same installation process, with the same pre-selected option to install unwanted software.
The reason, of course, is money: Oracle collects a commission every time that toolbar gets installed. And the Ask installer goes out of its way to hide its workings.
As I confirmed in my testing, when you update Java and simply click or press Enter to accept the default settings, the Java updater completes its installation first and displays this result:
That dialog box is not telling the truth.
In the background, the Ask toolbar installer continues to run, but it delays execution for 10 minutes. If you are a sophisticated Windows user and you missed the initial checkbox, your natural instinct at this point would be to open Control Panel and check Programs and Features. When you do, you will see that only the Java update has been installed. You might also check your browser settings to confirm that no changes have been made to your settings. You might conclude that you dodged a bullet and that the unwanted software wasn’t installed.
But you would be wrong. The Ask installer is still running, and after waiting 10 minutes, it drops two programs on the target system.
The only indication that this installer is running is a brief flash of the mouse pointer. A check of the Windows event logs shows that the installer completed its activity exactly 10 minutes after the Java installer finished, and the two Ask modules show up in the list of installed programs.
I’ve never seen a legitimate program with an installer that behaves this way. But spyware expert Ben Edelman notes that in the early part of the last decade this trick was business as usual for companies in the business of installing deceptive software. That list includes notorious bad actors like WhenU, Gator, and Claria.
The Ask toolbar “takes over default search, address bar search, and error handling.” As Edelman notes, “That's an intrusive set of changes, and particularly undesirable in light of the poor quality of IAC's search results.”
If you use the toolbar’s search box, you’re sent to “an IAC Mywebsearch results page with advertisements and search results syndicated from Google [with] listings that are intentionally less useful -- focused primarily on IAC's business interest in encouraging the user to click extra advertisements.”
Unlike a Google search page, ads at IAC Mywebsearch lack “distinctive background color to help users distinguish ads from algorithmic results. Furthermore, IAC's voluminous ads fill the entirety of the first screen of results for many searches. A user familiar with Google would expect ads to have a distinctive background color and would know that ads typically stop after at most one screen … the user might well conclude that these are algorithmic listings rather than paid advertisements.”
The ads on the Mywebsearch pages ignore standard industry practice and Google rules and make the entire ad clickable, “including domain name, ad text, and large whitespace … IAC's search result pages expand the clickable area of each advertisement to fill the entire page width, sharply increasing the fraction of the page where a click will be interpreted as a request to visit the advertiser's page.”
This is sleazy stuff. If you have installed this software, it affects searches you run from the address bar in any browser, including Chrome. Installing the Java update on my main PC hijacked the default search provider in Chrome 24 (the current version) and redirected searches from the Google omnibox (the address bar) to Ask.com. At no point was I asked for permission to make these changes to the settings in Chrome. (A reasonable person would not conclude that clicking "Next" in a dialog box to install an update has the same legal effect as "I agree" to a set of license terms.)
The Ask search results for the title of my new book included seven ads at the top of the page, with background color and visual styles that were indistinguishable from web search results. Three of those ads were for deceptive or misleading "PC fix-it services" or software. One ad, ironically, offered an unauthorized download of the free Microsoft Security Essentials that included its own adware bundle.
The actual result I was looking for was in the seventh position under the Ask web search results. The same search at Google.com included only one clearly labeled ad, and the best search result was in the third position in results. The screen below shows the ugly Ask toolbar and the Ask icon at the top of the Chrome window. Both were installed without informed consent and with no warning except the original misleading dialog box in the Java updater.
Uninstalling the Ask toolbar does not restore the previous search settings in Chrome 24. You have to make that change manually.
The good news is that browser makers collectively are making it more difficult for toolbars like this to be installed and enabled inadvertently.
Beginning with Internet Explorer 9, new toolbars and other add-ons are disabled by default. You must specifically enable them before they’re active.
Mozilla Firefox has a similar add-on approval feature.
Beginning with version 25 (now in beta), Chrome will block add-ons that are installed by third parties and will require the user to specifically enable them.
The Ask toolbar installer takes these defensive measures into account and uses social engineering to try to convince the user to enable the add-ons. It does this by adding its own messages along with the system messages. Here’s what you see in Internet Explorer, for example, the first time you open the browser after the toolbar is installed:
And here’s the extra visual aid added in Firefox, which also appears in a prominent window on first run after the installation of the toolbar:
These additions to the UI are being added as a bit of social engineering designed to convince the user to override legitimate security settings.
(A side note: In Windows 8, Internet Explorer 10 refuses to install the Ask toolbar at all, although it does install with Chrome 24. An error message in the event logs suggests the installer isn't working properly with IE 10.)
Interestingly, while Oracle continues to junk up Java with these aggressive installer mechanisms, Adobe has moved the opposite direction over the past year or so.
Installing Adobe Flash or Reader for the first time on a Windows PC still includes the option to install third-party software (typically Google Chrome and the Google toolbar for Internet Explorer). But updates are handled automatically in the background. If you enable the Adobe updater, updates just work, with no attempt to install anything other than the updates.
Even better, both Google and Microsoft have incorporated Flash into current versions of their browsers (Internet Explorer 10 and all recent releases of Chrome), so that installing a plugin isn’t required. Updates are handled through Windows Update and the Chrome Updater, respectively.
The Skype installer, which once offered to install toolbars and add-ons, no longer does so (although it does attempt to change the user's default search engine and home page, a behavior that shouldn't be tolerated).
Java’s updater, by contrast, is a mess. It doesn’t work properly with limited user accounts, and as I’ve demonstrated here, it requires user interaction and unethically attempts to push add-ons that no sane Windows user would accept if they knew how that software works.
And to add injury to insult, the updater takes its own sweet time notifying you when important security updates are available. As the text in the updater dialog box makes clear, you might have to wait between 7 and 30 days after an update is available before you're notified of it. And then you're forced to initiate the update yourself, avoiding the unwanted software along the way. It's no wonder so many people are running outdated and highly vulnerable Java plugins.
I continue to recommend that Windows users avoid installing Java at all, if possible. If you must run it, consider using Ninite to keep it updated in a timely fashion without being annoyed by potentially unwanted software. But for those who aren't aware of options like that, the update process should be fast, accurate, and transparent. Oracle has a responsibility to clean up its act and end its relationship with IAC.