Java scam: How Oracle and Ask profit from sneaky add-ons

Every time users update Java, traps in the program try to trick them into installing useless toolbars and add-ons

Who doesn't love free stuff? I, for one, don't, and neither do millions of users burdened with unwanted software when they install a new update of Java, Adobe Reader, or Skype. Foistware, as it's called, is irritating to users, particularly nontechnical folks who don't know how to get rid of it. Foistware can also plague IT when it has to support naïve users who allow the apps to roost on their PCs.

To be fair, Adobe and Skype (now owned by Microsoft) have backed off from some of their more annoying foistware habits -- but Oracle has not. Here's why: Every time a user is tricked into installing the useless Ask toolbar or McAfee antivirus scanner, Larry Ellison makes a bit of money. And because Java is notoriously insecure (the feds have even warned users to disable it), Oracle keeps pumping out patches that give users yet another opportunity to inadvertently install the foistware. You'd almost think the endless patches exist as excuses to deliver foistware.

[ Woody Leonhard explains how to get rid of Java in your browser -- and the extra work needed to do so in Internet Explorer. Galen Gruman says client-side Java needs to be killed dead, dead, dead. | Get a digest of the key stories each day in the InfoWorld Daily newsletter. ]

As you'll see, this nasty little scam has a link to America's former first daughter: Chelsea Clinton.

I welcomed Oracle's acquisition of Sun in 2008 -- someone needed to save what was left of Sun. I still believe there was no alternative, but the naysayers who warned that Ellison and company would be a lousy steward of the once-indispensible Java software have certainly been proven correct.

How Java tricks you
Harvard professor Ben Edelman, who studies deceptive software practices, and ZDnet's Ed Bott have done an excellent job digging into the foistware scam, giving us a detailed look at how it really works. Earlier this week, Edelman published an extensive analysis of Java, saying, "It is troubling to see Oracle profit from this security flaw by using a security update as an opportunity to push users to install extra advertising software. ... A security update should never serve as an opportunity to push additional software." (Oracle hasn't responded to my request for comments on Edelman's analysis.)

You've probably noticed that every time you install a Java security update, the Ask toolbar and McAfee scanner are included. The updater suggests that you use the standard installation, and if you do, these programs are loaded by default. If you don't want them, you have to opt out by unchecking a couple of boxes.

That requirement to opt out during a security update is troubling enough, but Edelman found that the install box has another clever trap: Pressing either the space bar or the Enter key has the same effect as clicking Next. Before the user knows it, the unwanted software is being installed.

It's easy enough to fall into that trap or simply click your way through the installation without thinking about it. When you do, you'll see a message telling you that the Ask toolbar or McAfee scanner has been installed along with the Java update.

Of course, when a relatively experienced user sees that message, he or she would probably go straight to the Windows Control Panel to uninstall it. That'll work for McAfee, but not for Ask. That's because Oracle and its partner, Web advertising giant IAC, have done something really sneaky to get around that user action: The toolbar doesn't install itself for about 10 minutes, which means it doesn't show up in the list of programs you can uninstall.

1 2 Page
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies