Sun Slips Firefox Extension Into Java Update

pcardno writes "It seems it's not just Microsoft that have spotted a good opportunity to distribute their software through Firefox Addons. On installing the latest annoying, sysbar bubble based Java update, my Firefox informed me that I had a wonderful new Java addon automatically. Here's the addon screenshot. Yes, I could opt out of it, but why are Sun installing Addons to my Firefox without me making specific choices in the application itself? To be clear — I have never chosen to install this Addon, yet it has been installed without my permission with the latest Java Update."

You get what you pay for.

[Divebus]

You get what you pay for... and then some.

Re:You get what you pay for.

[TheKidWho]

The less you pay, the more you get!!!

And you'll like it too.

Re:You get what you pay for.

[jetsci]

...the last time 'Sun' slipped me something I woke up groggy and sore...

Re:You get what you pay for.

or mozilla can fix the fucking bug.

https://bugzilla.mozilla.org/show_bug.cgi?id=446139

Re:You get what you pay for.

[BikeHelmet]

I don't see why people are upset about this.

1) The addon/plugin is tied to your computer - not your profile. It's similar to installing quicktime. It registers plugins with your browser. But for some reason it shows up as an addon rather than as a plugin - perhaps because of the featureset it requires? It looks like they split prefetching functionality from the main plugin, so that it can be disabled if desired.

2) It's easy to turn off. Just go to the java control panel and disable it. If you can't figure it out, here. (first result on google)

3) Prior to Firefox 3, nobody even knew this stuff was running. Now you do, and you actually have the option to disable it, or totally remove it. Isn't this a good thing? Why are you screaming now that you know it's there?

4) This happened something like 6 months ago.

5) This feature was not "slipped in". Sun wrote about it in April 2008. Maybe if you were going to throw a fit, you should've done it when they first announced it.

6) Technically you did choose to install the addon. It's part of Java. A checkbox when installing would be nice, but really, isn't required - especially since this is easy to disable, and the functionality is known, and has been disclosed for almost a full year.

If you want something ludicrously invasive, go look at OpenOffice. It silently steals file associations, has no way to manually register extensions, etc.; half the changes they make are so poorly documented that deploying a new version in a production environment can leave things totally FUBAR.

(not that I'm dissing them - just pointing out that this isn't a big issue to me, because Sun did just about everything right, and people are still screaming about it - typical)

Re:You get what you pay for.

[atraintocry]

I know that is a fine point for you to grasp

Ironic, since you don't have a clue. The actual reason is that if you don't use Firefox to install the add-on, Firefox doesn't know where the files are located. In addition, if they are in the application directory, a privilege elevation is required.

The worst you could say is that it's shortsighted. It is certainly not malice. These are the type of devs that deny huge memory leaks over and over again with a straight face, remember?

In any case, you can always disable any add-on. And if you think Java is malware then I wouldn't have my PC in the same state as you, let alone lend it out.

Re:You get what you pay for.

[leenks]

Java has been released under the GPL (pretty much all of it, bar a few small parts that are unable to be released due to patent / licencing issues). The Java you download from Sun is under their licence because it contains those patent uncumbered pieces still.

For linux you can download IcedTea which is essentially a build of the open sourced Java7 code from openjdk.org.

You're right--convenience sucks

[perspectival]

Yes, now you have Java working in Firefox. Turn it off if you don't like it. Simple.

Re:You're right--convenience sucks

[Jeff+DeMaagd]

The problem is that this should be an opt-in system, not opt-out later by going in.

You talk about convenience, but they certainly don't offer as convenient of an opt-out as they should have.

Re:You're right--convenience sucks

[SatanicPuppy]

In order to have this happen to you, you have to install a completely optional automatic update package from Java, so you are opting in.

That it doesn't ask you again later doesn't mean much.

Re:You're right--convenience sucks

[davester666]

Same with Acrobat Reader (at least on Mac OS X, probably also on Windows), where Adobe installs, both without warning OR notification that they install Adobe AIR. And they don't use Apple's installer, so you can't even find out what files they've spammed to you system.

Acrobat Reader 8-109 Mb
Acrobat Reader 9-190 Mb

Re:You're right--convenience sucks

[techno-vampire]

so you are opting in.

You are opting in to the update, not the Firefox extension. That's installed silently as part of the update. The only reason it was detected was that Firefox told him that it had been installed, after the fact. If it were, as you claim, opt-in, he would have been asked if he wanted it before it was installed. See the difference?

Re:You're right--convenience sucks

You're right, you have to turn it off - because you sure as hell can't uninstall it.

It's unwanted, it's unneeded (Java works fine without it) and it's useless (all it does is waste memory and make Firefox take even longer to start).

So why does Sun force it onto us without even asking? Damned if I know.

Fortunately it's easy to disable. Unfortunately it gets reenabled every single time you update Java, which is a fairly routine thing thanks to the massive number of security holes lingering in Java. (Even worse, if you allow it to update automatically, this just happens in the background, so your only sign that it got reinstalled behind your back is Firefox randomly being slower).

Honestly, I only have Java installed for a couple of "enterprise" applications I use that require the massive Java bloat. I'd much prefer it keep its hooks out of my browser: Java applets are dead and have been for years. The only reason I have Java at all is thanks to the "enterprise" weenies who think that J2EE makes everything better.

But you can't keep it out of your browser. Install it, and it sticks its hooks into your browser without giving you an option. Even better, it now advertises Open Office and demands that you register Java.

But this isn't really news - Sun's been doing that for at least the past year and quite possibly longer. It's not a new feature.

It's still scummy, and makes me incredibly wary about using any Sun software (eg Open Office and MySQL) for fear of what Sun bloat now lingers in them.

Re:You're right--convenience sucks

[SatanicPuppy]

It's automatically updating the entire JRE, and you're worried about some little plugin? That's like opting in to unprotected anal sex and then freaking out at the post-coital cuddling.

Re:You're right--convenience sucks

[TinBromide]

"It's automatically updating the entire JRE, and you're worried about some little plugin? That's like opting in to unprotected anal sex and then freaking out at the post-coital cuddling."

Can you phrase that in some form of a car analogy?

Re:You're right--convenience sucks

Its like getting a call from an auto dealer with the words "Thanks for buying the car, by the way there's a body in the trunk."

Re:You're right--convenience sucks

[Tawnos]

It's like opting in to unprotected anal sex in the back of a voltswagen, then freaking out at the small back seat size when in post-coital cuddling?

Re:You're right--convenience sucks

[cabazorro]

Like getting a free oil change and complaining about the windshield sticker next service reminder?

Re:You're right--convenience sucks

[SatanicPuppy]

You're downloading the wrong packages. If you download from the main java download page it doesn't include the extra crapware.

It will still show a splashscreen for OpenOffice though. Shocking. Quite shocking.

Re:You're right--convenience sucks

[meatmanek]

There's a nifty program called fseventer which lets you watch file changes in real time.

Re:You're right--convenience sucks

[gEvil+(beta)]

A voltswagen? Is that some new electric car I haven't heard about?

Re:You're right--convenience sucks

[mrclisdue]

It's like throwing a stone to knock an apple out of a tree, only to find a worm in the apple.

Re:You're right--convenience sucks

[ShieldW0lf]

You are opting in to the update, not the Firefox extension. That's installed silently as part of the update. The only reason it was detected was that Firefox told him that it had been installed, after the fact. If it were, as you claim, opt-in, he would have been asked if he wanted it before it was installed. See the difference?

I can't test this myself, don't have a Windows machine here, but every time I've installed Java on Windows in the past, it scanned my machine and asked me if I wanted to install support into each of my browsers, which generally consisted of Firefox and IE. And after I said yes, it did some mucking about in the internals of my browsers to make them interact properly with JRE.

If you already did this, in the past, then you already gave them consent to integrate into your browser. So, the difference is, now you can see the evidence in your Add-On's list, where before you couldn't.

So, this doesn't resemble MS's stunt at all. Nice move posting a big fat broken link right at the top of the story, by the way. Smooth...

Re:You're right--convenience sucks

[Score+Whore]

Um, JVM have always included plugins for browsers. Being shocked or surprised at this is like being flabbergasted and croggled by Mozilla Corp adding a "know your rights" bar rather than a click through EULA in version 3.05. Or like the FSF including a getwchar() in libc.

It is what it is.

Re:You're right--convenience sucks

[Plug]

Sounds like a very uncomfortable place.

Re:You're right--convenience sucks

[davester666]

Every once in a while, a PDF will render better in Acrobat Reader than Preview. But I haven't come across one in quite some time. I used to have Reader 5 as my default PDF reader on Mac OS X (years ago), because it was faster and more compatible than Preview (back then), but with Tiger and Leopard, Preview has totally kicked Reader to the curb.

I would say, since version 8 (maybe even 7), Acrobat Reader has jumped the shark, with wacky 3D features, more DRM then you can shake a stick at, Javascript scripting, video and audio support, and now just throwing in AIR, just to artificially boost their install base. Adobe seems to have forgotten what their original reason for PDF was, and is now just throwing everything they can think of into it...

Re:You're right--convenience sucks

[thePowerOfGrayskull]

Combine 15% truth with 85% bullshit, and voila! Instant troll mix!

Re:You're right--convenience sucks

[ConceptJunkie]

Did you install Java to have it NOT work?

Based on my experiences with Java on Linux, I always assumed Sun thought that's what I was trying to do.

Re:You're right--convenience sucks

[BitZtream]

You're whining because you can't uninstall (only disable) half a meg of application, but you're okay with having the entire JRE installed?

Do you have any idea how incredibly stupid you sound?

I'll help you though.

Open regedit
(the following should be done for both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER for any users you want this to apply to)

Go to the 'SOFTWARE\Mozilla\Firefox\Extensions' key (This may be different if you are using an alpha or other version running as a codename (like shredder) rather than a standard release build).

Remove the registry key for the offending extension.

After this, you can also probably remove the directory that key points at if you want it 'uninstalled', you really should use the apps uninstaller unless you're prepared to deal with issues later from the apps own upgrader/uninstaller. Since you're already being a whiney little bitch, I'll just accept you're going to do that no matter what happens.

Now, set the permissions for this registry key to deny write by everyone. You won't be able to write to it yourself, but you can fix the permissions later.

Next go to the directory where you installed firefox and remove the plugins from there. Again set the permissions on the directory (and subdirs/files!) so that you aren't allowed to write to them. You don't need to normally, writes go to your profile directory, only globals go to the main app dir.

Now, you can stop your whining because nothing is going to be installing random firefox plugins or extensions on you. You can then immediately start whining when you can't install some plugin/extension globally because you just made it impossible to do so.

As the original post said, You're right -- convenience sucks.

Further more, disabling a plugin is effectively the EXACT same as uninstalling it with the exception of when you open the plugin manager. If the plugin manager window is not open, the plugin has nothing in memory. The only thing loaded when the plugin manager window is open are what you see in the window and the manifest files that have to be loaded to find the information displayed in the plugin manager window.

I ask again, do you have any idea how stupid whining about the fact that you can't uninstall a half a meg portion of a 20 meg install sounds?

Old

[RockMFR]

I mentioned this during the discussion about the Microsoft add-on three weeks ago. How is this news now?

Re:Old

[Cl1mh4224rd]

I mentioned this during the discussion about the Microsoft add-on three weeks ago. How is this news now?

And it's been going on for longer than that; a few months at least.

http://forums.mozillazine.org/viewtopic.php?f=38&t=921325&st=0&sk=t&sd=a&start=15

Stop this right now

[AlterRNow]

Could Firefox add some sort of public/private key extensions signing so I can sign extensions I want to use? Then unsigned extensions wouldn't be loaded and this sort of thing could be stopped ( by the technical minded anyway ).

Re:Stop this right now

[dmomo]

Sounds like a great idea for an extension!

Malware

[MoZ-RedShirt]

Watch out! It seems that some other malicious updaters installed IEtab and a twitter addon in your firefox, too!

Unlike Microsoft, this one benign and documented

[salahx]

All this plugin does is speed up loading of Java applets. Its benign, and Sun provides instructions on how to turn it off: http://www.java.com/en/download/help/quickstarter.xml .

Is this case a big deal?

[dwalsh]

Applets, you have heard of them?

When you install / upgrade Java, you get support for the latest Java runtime in your browser to run those applets. It has been thus since the olden times (the mid-nineties when Java was launched).

From the description, this is just a performance optimization so the runtime is loaded and you don't get a delay when there is an applet in the page.

Whether I am right about what the plugin does or not, installing / upgrading the Java Runtime Edition has always affected your browser.

bitch, bitch, bitch. You wanted Java, right?

[ClioCJS]

And of course if it asked you and it said no, complainers like you would be complaining about how Firefox doesn't properly support JAVA later.

And of course, if you were a dumbass who didn't understand what extensions were, you might say No out of fear, and then later decide you don't like java. And then later decide buying an iPHone isn't that bad, because it doesn't support java, but java never works anyway.

At some point, you have to let the machine work for you. Remember all the people who complained about windows asking your permission before doing anything possibly harmful? Seems like whether you ask people or not, someone is going to whine on either side of the fence.

In a world of whiners, I'd rather have Javascript work on their browsers.

There's enough problems with things BROKEN because people DON'T do automatic updates. Then when updates to happen automatically, people STILL whine.

Can't win.

Re:bitch, bitch, bitch. You wanted Java, right?

[db32]

Java != Javascript.

Quickstarter....

[nvrrobx]

It helps preload the JVM so that any Java applets load faster.

It's not some evil conspiracy.

You told it to update your computer. It didn't tell you exactly what it was doing. Does Microsoft Update tell you everything it's going to touch?

If you don't like it, run Linux, install SELinux and block everything by default.

Not trying to sound like a dick, but this really is a non-issue.

Re:Unlike Microsoft, this one benign and documente

[ADRA]

Yeah, what a complete waste of a story. It is installed with java which preloads core java so that when your browser runs applets, they start faster... Damn those frigging bastards at sun for making my life easier!

Re:Unlike Microsoft, this one benign and documente

[batkiwi]

What does the MS one do that's not benign?

Re:some info, please

[SatanicPuppy]

It's an automatic update watcher that runs all the time in your taskbar and keeps your JRE up to date.

It's an optional feature that is required by absolutely nothing, and one of the things it does is updates your browser. Apparently now it adds an extra update that does some prefetching that makes java load faster, and we must all riot because we didn't specifically ask for that one.

Re:Unlike Microsoft, this one benign and documente

[MrMista_B]

So if someone breaks into your house and cleans your kitchen, you'd think that's okay too?

Re:Obviously this is something you need....

Look a lot of apps have agents that load on startup so that when you want them the visual startup time is much shorter, because it has been differed to when the system started up.

Over the history of Java people have complained about how long the JVM startup time is. While Sun has made many improvements in this over the years, the FF add-on just assists this even more. When you launch FF and this add-on is enabled it initializes the JVM and the applet sub-system.

This way if you go to a site that has an applet on it, it will appear and be function much more quickly.

Re:Unlike Microsoft, this one benign and documente

[zullnero]

Neither is benign. When you tamper with a customer's third party software, you 1. Ask them first, and 2. Let them back out easily. Microsoft and Sun did neither of these. Not only are they spitting on good software standards, they're spitting on their users by doing this.

How it happened:

I suppose you're wonderin' how this happened:

Sun executives were sitting around one day at a 3-hour lunch getting drunk and making rude remarks to the waitress. One of them said, "How can we sink the company?" After considerable deliberation, one of them had an idea. "I know, we'll get ourselves on Slashdot for doing something dastardly." Another executive said, "Brilliant! No reputable programmer will ever take a job at Sun again."

Then they had to think of something sufficiently sneaky. That's difficult for a drunk person, especially a drunk person that makes millions of dollars a year. That kind of money decreases initiative. Then one said, "We'll just imitate Microsoft! Almost everything they do is sneaky or mean."

And that's what they did.

Warning: Some of this may be fiction. Or, it may be true.

Re:Unlike Microsoft, this one benign and documente

[KiloByte]

It preloads all the bloatness of Java, every single time, even if you installed it just for a single page you visited half a year ago.

Re:Unlike Microsoft, this one benign and documente

[StormyWeather]

Hell if they will do the bathrooms too I'd pay them.

I don't see the problem.

[argent]

There's lots of software that installs browser addons automatically, without even asking you. That's been normal and expected behavior for a decade, it's long since past time to raise Caine over this one.

I think Sun should be accoladed for giving you the option to opt out.

Ever try to install Acrobat without getting the browser plugin? You have to rummage around in the Acrobat directory and remove the plugin component or else EVERY TIME you run Acrobat the plugin will be reinstalled.

Re:Obviously this is something you need....

[gbjbaanb]

It's the same as IE and Office being preloaded with Windows so that they pop up instantly after your new 5 minute boot time.

there, fixed that for you.

Re:Unlike Microsoft, this one benign and documente

[gbjbaanb]

You install the Java plugin, you expect it to modify your browser.

only he didn't install the plugin, he updated the JRE.

There's a much simpler way

[Rix]

Simply only allow them to be installed through Firefox. If one of these crapware installers wants to ad one, make it open Firefox with the xpi installer.

And make it default to cancel.

Re:There's a much simpler way

[anaesthetica]

This is a security issue really. Firefox shouldn't run any extensions not explicitly approved by the user. If a third-party installer puts an extension in, Firefox should keep it disabled until the user explicitly enables it (or uninstalls it) in the Addons Manager.

If legitimate companies are stooping as low as illicit extension installs into Firefox, it is an obvious next step for spyware and malware programs running on people's computers to begin to do the same. It doesn't matter that Firefox alerts you when new extensions have been installed on startup—if a malware program installs an extension with an innocuous name (e.g. "MS Internet Security") most people won't think twice and will allow it to remain activated.

Mozilla should not wait for Fx3.1 or Fx3.2 to implement some kind of protection scheme against this—this should be rolled out to all Fx3.0+ users in a security update.

Re:There's a much simpler way

[BitZtream]

The user did approve them, by lettering code run on their machine that updated software. The security issue is the stupid users who allow the updaters to run and then get pissed off when they update stuff.

'OMG FIREFOX IS INSECURE BECAUSE THIS OTHER APP I LET RUN WITH ADMIN RIGHTS IS CHANGING FIREFOX'

Jesus I hate when idiots like you post.

This is a security issue, but it has nothing to do with Firefox, its the user. The user allowed the update to update his machine on its own. The security problem is that the user is too stupid to realize that when you allow apps to make whatever changes they want to your system on their own, that they may in fact do just that.

You think Sun is 'stooping as low' as installing an extension that makes the product you installed work?

If an app can write to your system in a way required to make firefox load a new extension, they can do far more dangerous things than installing a firefox extension. If something is writing files (AND registry keys in this case) to system folders, don't you think the problem is with your file/registry permissions, not the fact that the app is doing what it was designed to do?

The way this works is BY DESIGN. Its useful for allowing a plugin or extension to be installed BEFORE firefox, so you can install flash, acrobat reader, or some other random plugin, and then in the future when you run firefox for the first time, it will know about the plugin and it will just work.

You sir, are clueless about security. Please stop pretending you know about it.

Re:There's a much simpler way

[anaesthetica]

This is a security issue, but it has nothing to do with Firefox, its the user.

That's the excuse we used to use with Windows too. But everyone has since realized that while you can never inoculate against dumb users, some software is inherently less secure because of the way it is designed. You're right that if users had perfect knowledge of what they were running, what they were installing, and what it all meant, then there would be no problem. Unfortunately that is not the case—in practice, people have limited knowledge about what they're running and what they're installing, as evidenced by the wild success of spyware and adware and malware. Tens of millions of users have malware running local code while logged in on admin-level accounts, the malware is running without their full knowledge, and this presents a wide open vector for attack.

We can follow your model, in which we place the onus entirely on the user. And similar to abstinence-only sex ed, which ignores the well-demonstrated reality of human behavior, it will fail and Firefox will be exploited. Or we can follow my model, which adds another layer of security on the assumption that people do make mistakes and ill-informed decisions, and design around that. Firefox's good reputation will be preserved, with trivial hassle to the end user.

Mozilla needs to shut this down now

[Kaboom13]

How many IE installs have you seen with a dozen ugly search bar below the title bar? It seems like every app installs one, if you are lucky they hide a little checkbox and disclaimer in the installer to avoid it. it's one of peoples big annoyances with IE, even if at it's core it's not IE's fault. I installed Foxit Reader on my laptop the other day, and did not read all the options. To my surprise I had some ridiculous Ask.com toolbar in my firefox install.

Currently if you try to install an extension, Firefox pops a warning up. It needs to do the same if another app installs one. All extensions need to be uninstallable, they need to remove all options otherwise. Ideally, it would be able to verify the integrity of all browser files from a secure source and delete anything that did not follow the "rules" (I.e. can be uninstalled at any time).

All extensions not installed by direct user action (ie going to the firefox addons menu and choosing to install it) should start disabled and have to be manually enabled before they can work.

Firefox is gaining ground in the browser wars, and that means it is going to be targeted. Already malicious sites that attempt to exploit flaws in Firefox exist and are growing in number. I expect it's just a matter of time before spyware extensions start showing up, claiming to do something useful while reporting your browsing habits.

Mozilla foundation needs to keep in mind it is YOUR computer, and YOUR browser, and it should only do the things you want it to, regardless of what other companies want.

Ive been using Firefox since it was called Firebird, and despite the many improvements, it will be a victim of it's own success if it is not careful.

Re:Mozilla needs to shut this down now

[BitZtream]

Currently if you try to install an extension, Firefox pops a warning up. It needs to do the same if another app installs one.

Already done, had you even read the summary you'd know thats how this started, the handitard that posted the original noticed it when Firefox warned him that a new one had been installed.

All extensions need to be uninstallable, they need to remove all options otherwise.

No, they don't. There are provisions that allow network admins to install plugins. Regardless of what you think, its not always up to you what runs on the PC your using. Firefox (the user running it) may not even have permission to remove the files or settings, in which case its going to fail.

Ideally, it would be able to verify the integrity of all browser files from a secure source and delete anything that did not follow the "rules" (I.e. can be uninstalled at any time).

You are obviously very young and naive. Its practically impossible. And even if it were possible, if they did this, then you would bitch that they were controlling what extensions could be installed (like apple and the app store). If they don't do it you bitch that they should.

All extensions not installed by direct user action (ie going to the firefox addons menu and choosing to install it) should start disabled and have to be manually enabled before they can work.

You have an extremely narrow view of the world. In a corporate network, users don't get to control everything so doing what you say would cause more problems and probably wouldn't work anyway as the network admins would probably have file permissions set in a way that the user wouldn't have a choice in the matter.

Mozilla foundation needs to keep in mind it is YOUR computer, and YOUR browser, and it should only do the things you want it to, regardless of what other companies want.

You need to keep in mind that no one cares what you do on your little home PC, and that there are far more reasons to use a PC that don't involve you, and many of those reasons probably don't fall into your little view of what would be perfect for YOU. There are many times when its NOT YOUR computer, so you DON'T get to do whatever you want with it. You are not entitled to have things your way just because you are alive.

Ive been using Firefox since it was called Firebird, and despite the many improvements, it will be a victim of it's own success if it is not careful.

So you've been using Firefox for a while, you're still clueless. If by victim of its own success you mean holding a large market share and being accepted by companies rather than being forced to use IE at work, then I'm okay with that.

You're going to be ignorant and bitch regardless, so Mozilla really could give a flying fuck what you think :)

Re:Unlike Microsoft, this one benign and documente

[Ilgaz]

...and JRE finally, finally showed some kind of Desktop user touch by preloading frequently used classes (or their metadata, more like prebinding/prefetch) to memory in ages of 64bit running laptops with 4+ GB memory.

If I was still on windows and also using applets a lot, I would thank Sun via feedback especially if I had portable with traditionally fragmented NTFS disk.

They were doing harm to users and even Firefox by not implementing that long overdue optimisation which means browser was essentially freezing or choking when most basic java applet hits it.

They unimaginably trust to Apple for Java updates but if they manage to run it as normal (non admin) user, it would be a nice touch for Linux JRE.

You missed something!

[Trahald]

You only noticed the firefox addon !
Ha Ha. They also sneaked a service in there. Check out your control panel services thing. There's a new service "Java Quick Start".

Screenshot

[BitZtream]

This whole posting is dumb but...

I really fail to see how anyone with 'TwitterBar' extension installed can bitch about the Java quickstart extension.

I guess if I would have looked at the screenshot sooner I would have realized the guy is just a douche bag and skipped this one :/

Firefox plugin...

[Bert64]

The install of Java already includes a java browser plugin, they are only extending it's functionality with a firefox addon rather than doing something completely new and unexpected.