A close look at how Oracle installs deceptive software with Java updates

Just to tell my experiences on this, I was <i>forced</i> to install the crapware last week. There was no way for me to uncheck or opt out of the checkbox.<p>I have a machines which I connect to that do not have any mouse connected. I have no problem in navigating systems with a keyboard and can run through installers probably quicker than most people with a mouse can, but when this dialog popped up for me, I was stumped for about 10 minutes. I employed every shortcut in my keyboard-shortcut arsenal and fell short.<p>I genuinely felt like this was not just some programming mistake (because the "Next" control was already highlighted waiting for me to hit Enter). It is a dark pattern that was purposefully introduced to their installer to make it impossible for users like me to opt-out of their installer.<p>A consequence of their deception was that they did get a dozen installs from me, but my dislike for Oracle increased tenfold, and in a quiet-protest, I'll make damned sure that I suggest any alternative to an Oracle product when I have reasonable alternatives (Without cutting off my nose to spite my face).

Ladies and gentlemen, introducing THE fugliest company of all time - ORACLE.<p>The company that sued Android unsuccessfully, The company that fucked up JAVA, The company that fucked up MySQL, The company that fucked up OpenOffice, The company that doesn't like anything good happening within the tech sector.<p>I <i>really</i> miss those days when Oracle was highly respected and used to be a great workplace to be a part of.

It's a nice racket Oracle has. Every time they release a security fix, they make a few hundred thousand bucks on drive-by installs. Security holes as business model.

This sums up everything I find wrong about the Windows philosophy. Software whining for updates. Unwanted background programs. Installers that want to install more than you ask for. Usage of the phrase "We recommend" where recommend means "we get money if you".<p>I've never seen any of those terrible anti-user behaviours in a Linux package manager, or makefile.<p>I would be fine with an actual security fix being downloaded and installed silently (without any other payload of course).

So are the Feds going to go after Oracle and Larry for "unauthorized access to a computer" and "wire fraud"? With, like, real jail time?

Looks like YC should make an investment!

Well when after the last security issue there were articles calling end users for uninstalling java completely, I was pretty mad at the missing distinction between the plugin and the runtime.<p>But now I really think this is a good thing to recommend under windows.<p>I will still continue using OpenJDK for server projects under Linux, but will press for different solutions whenever installation of Jav on a Windows machine might be required.

Can someone comment on how .NET platform + tools compare?<p>As someone who is not invested in either camp, between the two, .NET seems like a much better place to be invested in right now.<p>Edit: Thanks a lot for the replies, I'm much better informed.

You would think that a company Oracle's size wouldn't need to resort to install commissions from something like this.<p>You would think that after several years of conning people into using their search engine, the employees at Ask would feel dirty to have to engage in such tactics.

One additional note regarding the installer: to opt out of the toolbar installation, you have to click <i>the checkbox itself</i>. You can't click the text label associated to it. I call it a bug, but certainly it's a feature in this context.

This problem has been known and complained about for <i>ages</i>. What's the community response? We have OpenJDK, why does anyone put up with an abusive installer from Oracle?

Java could have been such a good thing, even in the browser (ok, as platform, ignoring the language's shortcomings, but still...). Whys did both Sun and Oracle strive so hard to fuck it up? <i>It's as if these guys have a "how to fuck things up for the end user" brainstorming meeting every week!</i>

I really hate the crapware, and I hate more the "opt-out" crapware. But the "summary" of the article is a little unfair:<p><i>Oracle's Java plugin for browsers is a notoriously insecure product. Over the past 18 months, the company has released 11 updates, six of them containing critical security fixes. [...]</i><p>The updates and security fixes include not only the plugin, but all the Java runtime that is much bigger and complex. (For example, one of the updates was: <a href="http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html#AppendixJAVA" rel="nofollow">http://www.oracle.com/technetwork/topics/security/javacpuoct...</a> ). This is like accusing Chome or Dropbox of being insecure, because they do a lot of updates (that are automatic, invisible and don't offer crapware).

Crapware-free downloads ARE available.<p>If you go to Oracle's Technology Network area to download (or Google for the specific version e.g. "java 6u38" or "java 7u11 oracle" because of all the press) you can agree to their binary license and download crap-free offline installers.<p>The link for 6u38 is <a href="http://www.oracle.com/technetwork/java/javase/downloads/jre6u38-downloads-1877409.html" rel="nofollow">http://www.oracle.com/technetwork/java/javase/downloads/jre6...</a> and the link for 7u11 is <a href="http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html" rel="nofollow">http://www.oracle.com/technetwork/java/javase/downloads/jre7...</a>

Interesting how many comments about desktop Java being dead, when the highest selling video game still available and being developed is Minecraft, written in Java, which runs on the desktop... (over 9 million registered users, and still increasing... enough to make it the #9 all-time selling video game)<p>I will admit tho, for traditional desktop apps, it is very dead.

I'm glad this was said in a much larger avenue than my paltry Twitter account. To bundle a toolbar installation in with a major security fix is not only dishonest, it's unethical and who's to say that toolbar isn't the next piece to contain a security hole?

A sleeping add-on installer that waits ten minutes? Sounds kind of rootkit-y, opt-in or not.

I can't sympathize with this article and most users in this thread because I don't understand why anyone uses Java within web browsers. Today, Java is for server-side code. Full stop. Okay, I know some people still have to use Applets, but none of us here, right?<p>Kidding aside, I've installed the Oracle JDK on dozens of Windows machines and not once have I been prompted to install a toolbar or bloatware.<p>1. Navigate to java.oracle.com<p>2. Select Java SE.<p>3. Select to download JDK SE 7u11<p>4. Accept license agreement<p>5. Download Windows x64<p>6. Open installer<p>7. Select to install "Development Tools" and "Source Code" (disable "Public JRE")<p>8. Wait and then close installer<p>9. Run c:\java\bin\java.exe<p>10. Review Windows' "Programs" and note only JDK has been installed; no toolbars<p>11. Celebrate<p>I suspect many people are installing the JRE, which is something I've never done. Since the JDK can run Java code, why install the JRE at all?

Last update I received I clicked the next button a little to fast. I realized after I went through the dialogs too quick and I figured no big deal I'd just cancel it when the McAfee dialog came up. It never did... all of the installation was in the background.<p>Shady!

I think the Java plugin should start to be flagged as malware given the persistent presence of holes that allow remote execution of arbitrary code, the clever bundling of questionable software and the update wizard behavior.

Sun was installing toolbars before Oracle bought them. I remember them bundling the Yahoo toolbar with Java.

What really upsets me about this is that it's Java that they are stuffing this adware into... Java a previously legitimate requirement that many applications have chosen to build on top of as a language/platform. For the average user it looks like all of these other programs are promoting this... I'm surprised that they can get away with it.

Fuck Oracle. And unfortunately, I guess that means Fuck Java too. This is the exact kind of stupid behavior that kills great technologies like Java, by stupid, greedy people that care more about money than technology. If this is how they expect to treat their users, I'll switch permanently to Python, PHP, and anything else besides Java.

I happily uninstalled Java from all of my machines/OSes last week. Glad to be rid of it.

I think this is in a large part due to the way programs install on Windows perhaps.<p>These programs seem to rely on getting the user to make a choice during installation time. Windows is the only major OS that seems to rely on "installers" being programs in their own right.<p>For example on debian, .deb packages provide a standard installation process. Whilst it would still certainly be possible to inject all types of crapware into a .deb the actual install process is not really conductive to this, because there is no way (AFAIK) to pop a custom screen during the install.

One reason I always download the full installer (even to upgrade), rather than using the Java update notification service (it runs, but when it prompts with an update -- if it does so before I manually upgrade -- I use that notification as a cue to go download the full installation; I <i>don't</i> let the service upgrade me).

My experience is that the one from java.sun.com does not have the crapware. Especially if you install jdk?<p>The one from java.com does.<p>I'm not 100% certain though.<p>BTW, there is a process to install java without the installer and without admin rights on Windows. The process is described on say StackOverflow but I have it scripted.<p>I should put it up on github sometime!

Too bad Google missed out on buying Sun.

I was just about to decry ZDNet for calling the kettle black here, but it seems they removed the scummy invisible pop-up ad click target they used to put in the negative space next to the column.

I do not have any such issue. Are you sure this sidebar comes with the official java installer from www.java.com?<p>From what I've heard, I guess it comes with Java installers from 3rd party sites.

Do not take this article Seriously. This is garbage post and problem is with ASK and not Oracle here.

And this is why Apple creates their own install packages for Java.

This seriously changes my opinion of Oracle.

Isn't it a little ironic that we're reading an article about foistware where the author searches for his own book on multiple search engines?

I used to work with Sun for quite some time; I can say without failure every single Sun tech I came across was pretty damn cool, knew what they were doing and was hooked up in the Sun-universe enough so they could provide excellent pointers and ultimately that translated into happy customers. On top of that a lot of their enterprise-y software wasn't half bad to begin with, it was just always terrible getting good documentation and information as an "outsider" oh and there were a couple of years when you could just forget the sorry excuse they passed off as "support". But there was always the possibility of going "black-ops", just de-compiling and providing your own fix and although this is far from great, things just worked and everyone was happy. Sun's suits didn't really matter from our point of view anway, they did no harm, stood in nobody's way, shook hands and invited folks to dinner when appropriate. Fair enough, you cannot really ask for more, anymore and it would literally be paradise, so I was happy with that. Even-though I never got that project manager I was basically paying for...<p>Enter big red. Talking to brain-washed zombies cannot feel very different from talking to Oracle's sales drones and customer relation dummies. You were talking about "A", they would start trying to sell you pricey-addon for the database when you weren't even talking databases in the first place. Whoever was a useful tech contact inside Sun before now turned into a walled-off zombie as well and I guess I was lucky they didn't just slap a price tag on picking-up the phone or simply answering an email. And to top it off I had to suffer one of their pre-sales dummies loudly telling an oh-so-ridiculous story how, can you imagine, bigcorpA was running tomcat(!) in their production environment! And not the abomination from hell that Oracle gets away with charging huge amounts of money for!! Well can you imagine that!!!<p>Another case of too-big-to-fail and nobody ever got fired for buying Oracle, hm?