Oracle, please stop sneakily foisting third-party toolbars on us with your Java updates

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

If you’re installing a critical security update on your computer, caused by the software vendor’s sloppy code quality, you probably wouldn’t dream that your software vendor is trying to make some money out of the inconvenience.

And yet that’s exactly what Oracle seems to be up to with its (sadly necessarily frequent) security updates for Java.

As Ed Bott explains in this excellent article, when the world was rushing to install an essential Java security update last week, the software vendor attempted to install a third-party toolbar and change your browser’s search engine.

Java setup

Sign up to our free newsletter.
Security news, advice, and tips.

Yes, Oracle has chosen to enable the option to install the Ask Toolbar and meddle with your search engines. Why? Because of profit. They earn more commission, the more people they get to install the third-party software.

AskYou wanted to install the latest version of Java because you wanted to protect yourself against potential attack by cybercriminals. But you have to be really careful not to accidentally install unwanted software like the Ask Toolbar at the same time.

IT managers may be able to handle underhand tricks like these, but what hope does the average computer user who will – most likely – just be automatically hitting “Next”?

(Oh, and if you want to know why you might want to avoid installing the Ask Toolbar, check out this analysis by Ben Edelman).

It’s not just Oracle/Ask who are guilty of tricks like this of course.

You may remember the brouhaha that erupted after CNET served up its download of the tasty Nmap network tool with a disagreeable side-dish of the Babylon toolbar.

And then there’s Adobe – a company not unfamiliar with the need to issue regular security updates for its Flash and Acrobat products.

I’ve lost count of the number of times in the past Adobe has tried to sneak McAfee software onto my computers.

Adobe pimping McAfee

A quick search of Adobe’s community forums reveals the bundling hasn’t been popular with their users:

Complaints from Adobe customers about the bundling of McAfee

Of course, McAfee’s software is considerably more useful and desirable than the Ask Toolbar. But it should be my conscious and informed decision as to whether I want to install it or not. For vendors to pre-select options to install unconnected third-party software in an installer is just wrong.

I think it’s wrong for software companies to take advantage of users’ eagerness to install a security update in this way.

Oracle and others are choosing to pre-check the box – that’s a conscious decision on their part because they know that more people will install the bundled software (or “foistware” as it’s becoming known) as a result.

It’s an underhand trick designed to make them money, and customers deserve to be treated better than this.

Let us know what you think, by taking this quick poll.

[polldaddy poll=”6849827″]


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.