Sun Slips Firefox Extension Into Java Update

pcardno writes "It seems it's not just Microsoft that have spotted a good opportunity to distribute their software through Firefox Addons. On installing the latest annoying, sysbar bubble based Java update, my Firefox informed me that I had a wonderful new Java addon automatically. Here's the addon screenshot. Yes, I could opt out of it, but why are Sun installing Addons to my Firefox without me making specific choices in the application itself? To be clear — I have never chosen to install this Addon, yet it has been installed without my permission with the latest Java Update."

Re:You're right--convenience sucks

[Jeff+DeMaagd]

The problem is that this should be an opt-in system, not opt-out later by going in.

You talk about convenience, but they certainly don't offer as convenient of an opt-out as they should have.

Re:You're right--convenience sucks

[SatanicPuppy]

In order to have this happen to you, you have to install a completely optional automatic update package from Java, so you are opting in.

That it doesn't ask you again later doesn't mean much.

bitch, bitch, bitch. You wanted Java, right?

[ClioCJS]

And of course if it asked you and it said no, complainers like you would be complaining about how Firefox doesn't properly support JAVA later.

And of course, if you were a dumbass who didn't understand what extensions were, you might say No out of fear, and then later decide you don't like java. And then later decide buying an iPHone isn't that bad, because it doesn't support java, but java never works anyway.

At some point, you have to let the machine work for you. Remember all the people who complained about windows asking your permission before doing anything possibly harmful? Seems like whether you ask people or not, someone is going to whine on either side of the fence.

In a world of whiners, I'd rather have Javascript work on their browsers.

There's enough problems with things BROKEN because people DON'T do automatic updates. Then when updates to happen automatically, people STILL whine.

Can't win.

Re:bitch, bitch, bitch. You wanted Java, right?

[db32]

Java != Javascript.

Quickstarter....

[nvrrobx]

It helps preload the JVM so that any Java applets load faster.

It's not some evil conspiracy.

You told it to update your computer. It didn't tell you exactly what it was doing. Does Microsoft Update tell you everything it's going to touch?

If you don't like it, run Linux, install SELinux and block everything by default.

Not trying to sound like a dick, but this really is a non-issue.

Re:You get what you pay for.

[TheKidWho]

The less you pay, the more you get!!!

And you'll like it too.

Re:Unlike Microsoft, this one benign and documente

[ADRA]

Yeah, what a complete waste of a story. It is installed with java which preloads core java so that when your browser runs applets, they start faster... Damn those frigging bastards at sun for making my life easier!

Re:You're right--convenience sucks

You're right, you have to turn it off - because you sure as hell can't uninstall it.

It's unwanted, it's unneeded (Java works fine without it) and it's useless (all it does is waste memory and make Firefox take even longer to start).

So why does Sun force it onto us without even asking? Damned if I know.

Fortunately it's easy to disable. Unfortunately it gets reenabled every single time you update Java, which is a fairly routine thing thanks to the massive number of security holes lingering in Java. (Even worse, if you allow it to update automatically, this just happens in the background, so your only sign that it got reinstalled behind your back is Firefox randomly being slower).

Honestly, I only have Java installed for a couple of "enterprise" applications I use that require the massive Java bloat. I'd much prefer it keep its hooks out of my browser: Java applets are dead and have been for years. The only reason I have Java at all is thanks to the "enterprise" weenies who think that J2EE makes everything better.

But you can't keep it out of your browser. Install it, and it sticks its hooks into your browser without giving you an option. Even better, it now advertises Open Office and demands that you register Java.

But this isn't really news - Sun's been doing that for at least the past year and quite possibly longer. It's not a new feature.

It's still scummy, and makes me incredibly wary about using any Sun software (eg Open Office and MySQL) for fear of what Sun bloat now lingers in them.

Re:Stop this right now

[TheKidWho]

Maybe, but the source code is available, why don't YOU do it?

Re:Unlike Microsoft, this one benign and documente

[batkiwi]

What does the MS one do that's not benign?

Re:Unlike Microsoft, this one benign and documente

[MrMista_B]

So if someone breaks into your house and cleans your kitchen, you'd think that's okay too?

Re:Unlike Microsoft, this one benign and documente

[zullnero]

Neither is benign. When you tamper with a customer's third party software, you 1. Ask them first, and 2. Let them back out easily. Microsoft and Sun did neither of these. Not only are they spitting on good software standards, they're spitting on their users by doing this.

Re:You're right--convenience sucks

[cabazorro]

Like getting a free oil change and complaining about the windshield sticker next service reminder?

Re:Unlike Microsoft, this one benign and documente

[gbjbaanb]

You install the Java plugin, you expect it to modify your browser.

only he didn't install the plugin, he updated the JRE.

There's a much simpler way

[Rix]

Simply only allow them to be installed through Firefox. If one of these crapware installers wants to ad one, make it open Firefox with the xpi installer.

And make it default to cancel.

Re:There's a much simpler way

[anaesthetica]

This is a security issue really. Firefox shouldn't run any extensions not explicitly approved by the user. If a third-party installer puts an extension in, Firefox should keep it disabled until the user explicitly enables it (or uninstalls it) in the Addons Manager.

If legitimate companies are stooping as low as illicit extension installs into Firefox, it is an obvious next step for spyware and malware programs running on people's computers to begin to do the same. It doesn't matter that Firefox alerts you when new extensions have been installed on startup—if a malware program installs an extension with an innocuous name (e.g. "MS Internet Security") most people won't think twice and will allow it to remain activated.

Mozilla should not wait for Fx3.1 or Fx3.2 to implement some kind of protection scheme against this—this should be rolled out to all Fx3.0+ users in a security update.

Re:There's a much simpler way

[BitZtream]

The user did approve them, by lettering code run on their machine that updated software. The security issue is the stupid users who allow the updaters to run and then get pissed off when they update stuff.

'OMG FIREFOX IS INSECURE BECAUSE THIS OTHER APP I LET RUN WITH ADMIN RIGHTS IS CHANGING FIREFOX'

Jesus I hate when idiots like you post.

This is a security issue, but it has nothing to do with Firefox, its the user. The user allowed the update to update his machine on its own. The security problem is that the user is too stupid to realize that when you allow apps to make whatever changes they want to your system on their own, that they may in fact do just that.

You think Sun is 'stooping as low' as installing an extension that makes the product you installed work?

If an app can write to your system in a way required to make firefox load a new extension, they can do far more dangerous things than installing a firefox extension. If something is writing files (AND registry keys in this case) to system folders, don't you think the problem is with your file/registry permissions, not the fact that the app is doing what it was designed to do?

The way this works is BY DESIGN. Its useful for allowing a plugin or extension to be installed BEFORE firefox, so you can install flash, acrobat reader, or some other random plugin, and then in the future when you run firefox for the first time, it will know about the plugin and it will just work.

You sir, are clueless about security. Please stop pretending you know about it.

Re:There's a much simpler way

[anaesthetica]

This is a security issue, but it has nothing to do with Firefox, its the user.

That's the excuse we used to use with Windows too. But everyone has since realized that while you can never inoculate against dumb users, some software is inherently less secure because of the way it is designed. You're right that if users had perfect knowledge of what they were running, what they were installing, and what it all meant, then there would be no problem. Unfortunately that is not the case—in practice, people have limited knowledge about what they're running and what they're installing, as evidenced by the wild success of spyware and adware and malware. Tens of millions of users have malware running local code while logged in on admin-level accounts, the malware is running without their full knowledge, and this presents a wide open vector for attack.

We can follow your model, in which we place the onus entirely on the user. And similar to abstinence-only sex ed, which ignores the well-demonstrated reality of human behavior, it will fail and Firefox will be exploited. Or we can follow my model, which adds another layer of security on the assumption that people do make mistakes and ill-informed decisions, and design around that. Firefox's good reputation will be preserved, with trivial hassle to the end user.

Re:You're right--convenience sucks

[ShieldW0lf]

You are opting in to the update, not the Firefox extension. That's installed silently as part of the update. The only reason it was detected was that Firefox told him that it had been installed, after the fact. If it were, as you claim, opt-in, he would have been asked if he wanted it before it was installed. See the difference?

I can't test this myself, don't have a Windows machine here, but every time I've installed Java on Windows in the past, it scanned my machine and asked me if I wanted to install support into each of my browsers, which generally consisted of Firefox and IE. And after I said yes, it did some mucking about in the internals of my browsers to make them interact properly with JRE.

If you already did this, in the past, then you already gave them consent to integrate into your browser. So, the difference is, now you can see the evidence in your Add-On's list, where before you couldn't.

So, this doesn't resemble MS's stunt at all. Nice move posting a big fat broken link right at the top of the story, by the way. Smooth...

Re:You're right--convenience sucks

[Score+Whore]

Um, JVM have always included plugins for browsers. Being shocked or surprised at this is like being flabbergasted and croggled by Mozilla Corp adding a "know your rights" bar rather than a click through EULA in version 3.05. Or like the FSF including a getwchar() in libc.

It is what it is.

Mozilla needs to shut this down now

[Kaboom13]

How many IE installs have you seen with a dozen ugly search bar below the title bar? It seems like every app installs one, if you are lucky they hide a little checkbox and disclaimer in the installer to avoid it. it's one of peoples big annoyances with IE, even if at it's core it's not IE's fault. I installed Foxit Reader on my laptop the other day, and did not read all the options. To my surprise I had some ridiculous Ask.com toolbar in my firefox install.

Currently if you try to install an extension, Firefox pops a warning up. It needs to do the same if another app installs one. All extensions need to be uninstallable, they need to remove all options otherwise. Ideally, it would be able to verify the integrity of all browser files from a secure source and delete anything that did not follow the "rules" (I.e. can be uninstalled at any time).

All extensions not installed by direct user action (ie going to the firefox addons menu and choosing to install it) should start disabled and have to be manually enabled before they can work.

Firefox is gaining ground in the browser wars, and that means it is going to be targeted. Already malicious sites that attempt to exploit flaws in Firefox exist and are growing in number. I expect it's just a matter of time before spyware extensions start showing up, claiming to do something useful while reporting your browsing habits.

Mozilla foundation needs to keep in mind it is YOUR computer, and YOUR browser, and it should only do the things you want it to, regardless of what other companies want.

Ive been using Firefox since it was called Firebird, and despite the many improvements, it will be a victim of it's own success if it is not careful.

Re:Mozilla needs to shut this down now

[BitZtream]

Currently if you try to install an extension, Firefox pops a warning up. It needs to do the same if another app installs one.

Already done, had you even read the summary you'd know thats how this started, the handitard that posted the original noticed it when Firefox warned him that a new one had been installed.

All extensions need to be uninstallable, they need to remove all options otherwise.

No, they don't. There are provisions that allow network admins to install plugins. Regardless of what you think, its not always up to you what runs on the PC your using. Firefox (the user running it) may not even have permission to remove the files or settings, in which case its going to fail.

Ideally, it would be able to verify the integrity of all browser files from a secure source and delete anything that did not follow the "rules" (I.e. can be uninstalled at any time).

You are obviously very young and naive. Its practically impossible. And even if it were possible, if they did this, then you would bitch that they were controlling what extensions could be installed (like apple and the app store). If they don't do it you bitch that they should.

All extensions not installed by direct user action (ie going to the firefox addons menu and choosing to install it) should start disabled and have to be manually enabled before they can work.

You have an extremely narrow view of the world. In a corporate network, users don't get to control everything so doing what you say would cause more problems and probably wouldn't work anyway as the network admins would probably have file permissions set in a way that the user wouldn't have a choice in the matter.

Mozilla foundation needs to keep in mind it is YOUR computer, and YOUR browser, and it should only do the things you want it to, regardless of what other companies want.

You need to keep in mind that no one cares what you do on your little home PC, and that there are far more reasons to use a PC that don't involve you, and many of those reasons probably don't fall into your little view of what would be perfect for YOU. There are many times when its NOT YOUR computer, so you DON'T get to do whatever you want with it. You are not entitled to have things your way just because you are alive.

Ive been using Firefox since it was called Firebird, and despite the many improvements, it will be a victim of it's own success if it is not careful.

So you've been using Firefox for a while, you're still clueless. If by victim of its own success you mean holding a large market share and being accepted by companies rather than being forced to use IE at work, then I'm okay with that.

You're going to be ignorant and bitch regardless, so Mozilla really could give a flying fuck what you think :)

Re:Unlike Microsoft, this one benign and documente

[Ilgaz]

...and JRE finally, finally showed some kind of Desktop user touch by preloading frequently used classes (or their metadata, more like prebinding/prefetch) to memory in ages of 64bit running laptops with 4+ GB memory.

If I was still on windows and also using applets a lot, I would thank Sun via feedback especially if I had portable with traditionally fragmented NTFS disk.

They were doing harm to users and even Firefox by not implementing that long overdue optimisation which means browser was essentially freezing or choking when most basic java applet hits it.

They unimaginably trust to Apple for Java updates but if they manage to run it as normal (non admin) user, it would be a nice touch for Linux JRE.

Re:You're right--convenience sucks

[davester666]

Every once in a while, a PDF will render better in Acrobat Reader than Preview. But I haven't come across one in quite some time. I used to have Reader 5 as my default PDF reader on Mac OS X (years ago), because it was faster and more compatible than Preview (back then), but with Tiger and Leopard, Preview has totally kicked Reader to the curb.

I would say, since version 8 (maybe even 7), Acrobat Reader has jumped the shark, with wacky 3D features, more DRM then you can shake a stick at, Javascript scripting, video and audio support, and now just throwing in AIR, just to artificially boost their install base. Adobe seems to have forgotten what their original reason for PDF was, and is now just throwing everything they can think of into it...

Simple Solution:

[crhylove]

Don't install java. On anything. Ever. Every time I've installed java in the past, I've been instantly and immediately reprimanded by poor performance, extra processes, random slow downs, and other general crap.

I won't install java.

I won't install apps that require java.

People keep telling me "It's gotten better!" and some such nonsense, but so? It sucked so bad in the past, I'll give it another shot in say, five years, when it's been completely open sourced and fixed. I only use FOSS because it's good, not because I'm a zealot. :) Java is not good, no matter it's current state of source code availability or not.

Re:You get what you pay for.

[theshowmecanuck]

Sure, use Mozilla Firefox so that you can avoid proprietary browsers that may exploit their users by forcing them to install or use services that we don't want. Or even install plugins and such without telling you! [look of utmost shock and horror] Those horrible proprietary browser makers!! [/look of utmost shock and horror] Imagine... oh those horrible vendors. Just imagine them installing plugins to your browser that could compromise your security... impact your system's performance... possibly open up your personal information to being 'borrowed' etc. etc. etc. And they don't even tell you or give you a way to uninstall them! Sheesh, or just the nerve installing something without telling you... the nerve! That would be like malware! BUT... if you use our super slick browser, Firefox, you can avoid all that. WE won't do that!

Yes folks, use Firefox since we aren't some big proprietary company and we won't do that. We won't install addons or plugins without your knowledge and especially without you being able to uninstall them. We are Mozilla: open source and secure and all for your rights online! But what the heck, we won't stop the big proprietary companies from installing stuff on your machine without you knowing or being able to uninstall it. That just wouldn't be right! It would be like stepping on THEIR rights. And heck, it's only YOUR machine, what the hell do we care?

It's not like we got our market share with your help by advertising ourselves as the browser that is more secure and better able to prevent malware from installing on your system. Next time don't install any Sun Java updates and stop bugging us about your problems... we have better things to do than making it easy to uninstall unwanted addons snuck in with seemingly benign updates... like coming up with cooler Mozilla home pages telling everyone how cool we are.

It was only a matter of time after Mozilla was incorporated that this type of thinking was bound to take root there.

Re:You get what you pay for.

[thePowerOfGrayskull]

Erm.... this had nothing to do with Mozilla. Sun's java updater installed a firefox plugin. Mozilla didn't install it. Mozilla didn't endorse it. In fact, all mozilla did was build a browser.

But hey, don't let the facts get in your way...

Screenshot

[BitZtream]

This whole posting is dumb but...

I really fail to see how anyone with 'TwitterBar' extension installed can bitch about the Java quickstart extension.

I guess if I would have looked at the screenshot sooner I would have realized the guy is just a douche bag and skipped this one :/

Re:You're right--convenience sucks

[thePowerOfGrayskull]

Combine 15% truth with 85% bullshit, and voila! Instant troll mix!

Re:You get what you pay for.

[BikeHelmet]

I don't see why people are upset about this.

1) The addon/plugin is tied to your computer - not your profile. It's similar to installing quicktime. It registers plugins with your browser. But for some reason it shows up as an addon rather than as a plugin - perhaps because of the featureset it requires? It looks like they split prefetching functionality from the main plugin, so that it can be disabled if desired.

2) It's easy to turn off. Just go to the java control panel and disable it. If you can't figure it out, here. (first result on google)

3) Prior to Firefox 3, nobody even knew this stuff was running. Now you do, and you actually have the option to disable it, or totally remove it. Isn't this a good thing? Why are you screaming now that you know it's there?

4) This happened something like 6 months ago.

5) This feature was not "slipped in". Sun wrote about it in April 2008. Maybe if you were going to throw a fit, you should've done it when they first announced it.

6) Technically you did choose to install the addon. It's part of Java. A checkbox when installing would be nice, but really, isn't required - especially since this is easy to disable, and the functionality is known, and has been disclosed for almost a full year.

If you want something ludicrously invasive, go look at OpenOffice. It silently steals file associations, has no way to manually register extensions, etc.; half the changes they make are so poorly documented that deploying a new version in a production environment can leave things totally FUBAR.

(not that I'm dissing them - just pointing out that this isn't a big issue to me, because Sun did just about everything right, and people are still screaming about it - typical)

Re:You get what you pay for.

[atraintocry]

I know that is a fine point for you to grasp

Ironic, since you don't have a clue. The actual reason is that if you don't use Firefox to install the add-on, Firefox doesn't know where the files are located. In addition, if they are in the application directory, a privilege elevation is required.

The worst you could say is that it's shortsighted. It is certainly not malice. These are the type of devs that deny huge memory leaks over and over again with a straight face, remember?

In any case, you can always disable any add-on. And if you think Java is malware then I wouldn't have my PC in the same state as you, let alone lend it out.

Firefox plugin...

[Bert64]

The install of Java already includes a java browser plugin, they are only extending it's functionality with a firefox addon rather than doing something completely new and unexpected.