Jump to content


Photo

Don't accidentally install the Ask toolbar


  • Please log in to reply
3 replies to this topic

#1 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,269 posts

Posted 23 January 2013 - 01:32 PM

When you update Java, uncheck that box!

http://www.benedelma...s/012213-1.html

 

The Special Problems of IAC Ask Toolbar Installed by Oracle's Java Updates

 

ask-iac-011613-small.pngJava security update installs Ask Toolbar by default -- a single click in a multi-step installer.

Ongoing Oracle Java updates also install the IAC Ask Toolbar. I discuss these installations in this separate section because they raise concerns somewhat different from the IAC toolbars discussed above. I see five key problems with Oracle Java updates that install IAC toolbars:

First, as Ed Bott noted last week, the "Install the Ask Toolbar" checkbox is prechecked, so users can install the Ask toolbar with a single click on the "Next" button. Accidental installations are particularly likely because the Ask installation prompt is step three of five-screen installation process. When installing myriad software updates, it's easy to get into a routine of repeatedly clicking Next to finish the process as quickly as possible. But in this case, just clicking Next yields the installation of Ask's toolbar.

Second, although the Ask installation prompt does not show a "focus" (a highlighted button designated as the default if a user presses enter), the Next button actually has focus. In testing, I found that pressing the enter or spacebar keys has the same effect as clicking "Next." Thus, a single press of either of the two largest keys on the keyboard, with nothing more, is interpreted as consent to install Ask. That's much too low a bar -- far from the affirmative indication of consent that Google rules and FTC caselaw call for.

Third, in a piece posted today, Ed Bott finds Oracle and IAC intentionally delaying the installation of the Ask Toolbar by fully ten minutes. This delay undermines accountability, especially for sophisticated users. Consider a user who mistakenly clicks Next (or presses enter or spacebar) to install Ask Toolbar, but immediately realizes the mistake and seeks to clean his computer. The natural strategy is to visit Control Panel - Programs and Features to activate the Ask uninstaller. But a user who immediately checks that location will find no listing for the Ask Toolbar: The uninstaller does not appear until the Ask install finishes after the intentional ten minute delay. Of course even sophisticated users have no reason or ability to know about this delay. Instead, a sophisticated user would conclude that he somehow did not install Ask Toolbar after all -- and only later will the user notice and, perhaps, proceed with uninstall. It's a familiar tactic -- I found WhenU adware engaged in similar intentional delay half a decade ago -- but it's surprising to see IAC and Oracle stoop to this level.

Fourth, IAC makes changes beyond the scope of user consent and fails to revert these changes during uninstall. The Oracle/IAC installation solicitation seeks permission to install an add-on for IE, Chrome, and Firefox, but nowhere mentions changing address bar search or the default Chrome search provider. Yet the installer in fact makes all these changes, without ever seeking or receiving user consent. Conversely, uninstall inexplicably fails to restore these settings. As noted above, these incomplete uninstalls violate Google's Software Principles requirement that an "easy" uninstall must disable "all functions of the application."

Finally, the Java update is only needed as a result of a serious security flaw in Java. It is troubling to see Oracle profit from this security flaw by using a security update as an opportunity to push users to install extra advertising software. Java's many security problems make bundled installs all the worse: I've received a new Ask installation prompts with each of Java's many security updates. (Ed Bott counts 11 over the last 18 months.) Even if the user had declined IAC's offer on half a dozen prior requests, Oracle persists on asking -- and a single slip-up, just one click or keystroke on the tenth request, will nonetheless deliver Ask's toolbar.

A security update should never serve as an opportunity to push additional software. As Oracle knows all too well from its recent security problems, users urgently need software updates to fix serious vulnerabilities. By bundling advertising software with security updates, Oracle teaches users to distrust security updates, deterring users from installing updates from both Oracle and others. Meanwhile, by making the update process slower and more intrusive, Oracle reduces the likelihood that users will successfully patch their computers. Instead, Oracle should make the update process as quick and easy as possible -- eliminating unnecessary steps and showing users that security updates are quick and trouble-free.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#2 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,582 posts

Posted 24 January 2013 - 06:57 PM

If you use the offline installer rather than the online install you don't get the toolbar option. For instance at http://java.sun.com/...oads/index.jsp, under the Product / File Description, instead of selecting Windows x86 Online, select Windows x86 Offline instead. If you need the x64 version (for x64 systems you should install both the x86 and x64 versions), the only option for PC's, Windows x64, is an off-line installer and that offline installer also excludes the added toolbar.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#3 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,269 posts

Posted 26 January 2013 - 01:12 AM

In view of all the recent warnings about its vulnerability I'd advise uninstalling all Java.  Then if you find you need it, install the latest version.

Sounds like the offline installer is the way to go if you really need Java.  

A close look at how Oracle installs deceptive software with Java updates

 

 

 

The evidence against Oracle is overwhelming. 

Specifically:

  • When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
  • With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naïve enough to trust Java’s “recommendation,” you end up with unwanted software on your PC.
  • IAC, which partners with Oracle to deliver the Ask toolbar, uses deceptive techniques to install its software. These techniques include social engineering that appears to be aimed at both novices and experienced computer users, behavior that may well be illegal in some jurisdictions.
  • The Ask.com search page delivers inferior search results and uses misleading and possibly illegal techniques to deceive visitors into clicking paid ads instead of organic search results.

 

etc.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#4 pinkcomputercat

pinkcomputercat

    Member

  • Helper Trainee
  • Pip
  • 3 posts

Posted 26 January 2013 - 09:59 PM

hi all,

I just formatted an old laptop with windows 7

and installed the offline version of Java worked fine with no opt-outs

 

now I think I might just uninstall it, no problem there.. but..............

I really, really, REALLY like virtual box!

is there anything about virtual box that might be sketchy?


Edited by pinkcomputercat, 27 January 2013 - 12:14 AM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button