Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sun Slips Firefox Extension Into Java Update

Posted by timothy on from the we-thought-you-wanted-it dept.

pcardno writes "It seems it's not just Microsoft that have spotted a good opportunity to distribute their software through Firefox Addons. On installing the latest annoying, sysbar bubble based Java update, my Firefox informed me that I had a wonderful new Java addon automatically. Here's the addon screenshot. Yes, I could opt out of it, but why are Sun installing Addons to my Firefox without me making specific choices in the application itself? To be clear — I have never chosen to install this Addon, yet it has been installed without my permission with the latest Java Update."

39 of 311 comments (clear)

  1. You get what you pay for. by Divebus · · Score: 4, Funny

    You get what you pay for... and then some.

    --

    Most of the stuff on /. won't survive first contact with facts.
    1. Re:You get what you pay for. by TheKidWho · · Score: 4, Insightful

      The less you pay, the more you get!!!

      And you'll like it too.

    2. Re:You get what you pay for. by jetsci · · Score: 3, Funny

      ...the last time 'Sun' slipped me something I woke up groggy and sore...

      --
      Bored at work? Play Game!
    3. Re:You get what you pay for. by BikeHelmet · · Score: 5, Insightful

      I don't see why people are upset about this.

      1) The addon/plugin is tied to your computer - not your profile. It's similar to installing quicktime. It registers plugins with your browser. But for some reason it shows up as an addon rather than as a plugin - perhaps because of the featureset it requires? It looks like they split prefetching functionality from the main plugin, so that it can be disabled if desired.

      2) It's easy to turn off. Just go to the java control panel and disable it. If you can't figure it out, here. (first result on google)

      3) Prior to Firefox 3, nobody even knew this stuff was running. Now you do, and you actually have the option to disable it, or totally remove it. Isn't this a good thing? Why are you screaming now that you know it's there?

      4) This happened something like 6 months ago.

      5) This feature was not "slipped in". Sun wrote about it in April 2008. Maybe if you were going to throw a fit, you should've done it when they first announced it.

      6) Technically you did choose to install the addon. It's part of Java. A checkbox when installing would be nice, but really, isn't required - especially since this is easy to disable, and the functionality is known, and has been disclosed for almost a full year.

      If you want something ludicrously invasive, go look at OpenOffice. It silently steals file associations, has no way to manually register extensions, etc.; half the changes they make are so poorly documented that deploying a new version in a production environment can leave things totally FUBAR.

      (not that I'm dissing them - just pointing out that this isn't a big issue to me, because Sun did just about everything right, and people are still screaming about it - typical)

    4. Re:You get what you pay for. by atraintocry · · Score: 3, Insightful

      I know that is a fine point for you to grasp

      Ironic, since you don't have a clue. The actual reason is that if you don't use Firefox to install the add-on, Firefox doesn't know where the files are located. In addition, if they are in the application directory, a privilege elevation is required.

      The worst you could say is that it's shortsighted. It is certainly not malice. These are the type of devs that deny huge memory leaks over and over again with a straight face, remember?

      In any case, you can always disable any add-on. And if you think Java is malware then I wouldn't have my PC in the same state as you, let alone lend it out.

  2. You're right--convenience sucks by perspectival · · Score: 5, Informative

    Yes, now you have Java working in Firefox. Turn it off if you don't like it. Simple.

    1. Re:You're right--convenience sucks by Jeff+DeMaagd · · Score: 4, Insightful

      The problem is that this should be an opt-in system, not opt-out later by going in.

      You talk about convenience, but they certainly don't offer as convenient of an opt-out as they should have.

    2. Re:You're right--convenience sucks by SatanicPuppy · · Score: 4, Insightful

      In order to have this happen to you, you have to install a completely optional automatic update package from Java, so you are opting in.

      That it doesn't ask you again later doesn't mean much.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    3. Re:You're right--convenience sucks by davester666 · · Score: 3, Informative

      Same with Acrobat Reader (at least on Mac OS X, probably also on Windows), where Adobe installs, both without warning OR notification that they install Adobe AIR. And they don't use Apple's installer, so you can't even find out what files they've spammed to you system.

      Acrobat Reader 8-109 Mb
      Acrobat Reader 9-190 Mb

      --
      Sleep your way to a whiter smile...date a dentist!
    4. Re:You're right--convenience sucks by Anonymous Coward · · Score: 5, Insightful

      You're right, you have to turn it off - because you sure as hell can't uninstall it.

      It's unwanted, it's unneeded (Java works fine without it) and it's useless (all it does is waste memory and make Firefox take even longer to start).

      So why does Sun force it onto us without even asking? Damned if I know.

      Fortunately it's easy to disable. Unfortunately it gets reenabled every single time you update Java, which is a fairly routine thing thanks to the massive number of security holes lingering in Java. (Even worse, if you allow it to update automatically, this just happens in the background, so your only sign that it got reinstalled behind your back is Firefox randomly being slower).

      Honestly, I only have Java installed for a couple of "enterprise" applications I use that require the massive Java bloat. I'd much prefer it keep its hooks out of my browser: Java applets are dead and have been for years. The only reason I have Java at all is thanks to the "enterprise" weenies who think that J2EE makes everything better.

      But you can't keep it out of your browser. Install it, and it sticks its hooks into your browser without giving you an option. Even better, it now advertises Open Office and demands that you register Java.

      But this isn't really news - Sun's been doing that for at least the past year and quite possibly longer. It's not a new feature.

      It's still scummy, and makes me incredibly wary about using any Sun software (eg Open Office and MySQL) for fear of what Sun bloat now lingers in them.

    5. Re:You're right--convenience sucks by SatanicPuppy · · Score: 5, Funny

      It's automatically updating the entire JRE, and you're worried about some little plugin? That's like opting in to unprotected anal sex and then freaking out at the post-coital cuddling.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    6. Re:You're right--convenience sucks by TinBromide · · Score: 5, Funny

      "It's automatically updating the entire JRE, and you're worried about some little plugin? That's like opting in to unprotected anal sex and then freaking out at the post-coital cuddling."

      Can you phrase that in some form of a car analogy?

      --
      Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
    7. Re:You're right--convenience sucks by Anonymous Coward · · Score: 5, Funny

      Its like getting a call from an auto dealer with the words "Thanks for buying the car, by the way there's a body in the trunk."

    8. Re:You're right--convenience sucks by Tawnos · · Score: 5, Funny

      It's like opting in to unprotected anal sex in the back of a voltswagen, then freaking out at the small back seat size when in post-coital cuddling?

    9. Re:You're right--convenience sucks by cabazorro · · Score: 5, Insightful

      Like getting a free oil change and complaining about the windshield sticker next service reminder?

      --
      - these are not the droids you are looking for -
    10. Re:You're right--convenience sucks by SatanicPuppy · · Score: 4, Informative

      You're downloading the wrong packages. If you download from the main java download page it doesn't include the extra crapware.

      It will still show a splashscreen for OpenOffice though. Shocking. Quite shocking.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    11. Re:You're right--convenience sucks by meatmanek · · Score: 4, Informative

      There's a nifty program called fseventer which lets you watch file changes in real time.

    12. Re:You're right--convenience sucks by gEvil+(beta) · · Score: 4, Funny

      A voltswagen? Is that some new electric car I haven't heard about?

      --
      This guy's the limit!
    13. Re:You're right--convenience sucks by ShieldW0lf · · Score: 5, Insightful

      You are opting in to the update, not the Firefox extension. That's installed silently as part of the update. The only reason it was detected was that Firefox told him that it had been installed, after the fact. If it were, as you claim, opt-in, he would have been asked if he wanted it before it was installed. See the difference?

      I can't test this myself, don't have a Windows machine here, but every time I've installed Java on Windows in the past, it scanned my machine and asked me if I wanted to install support into each of my browsers, which generally consisted of Firefox and IE. And after I said yes, it did some mucking about in the internals of my browsers to make them interact properly with JRE.

      If you already did this, in the past, then you already gave them consent to integrate into your browser. So, the difference is, now you can see the evidence in your Add-On's list, where before you couldn't.

      So, this doesn't resemble MS's stunt at all. Nice move posting a big fat broken link right at the top of the story, by the way. Smooth...

      --
      -1 Uncomfortable Truth
    14. Re:You're right--convenience sucks by Score+Whore · · Score: 4, Insightful

      Um, JVM have always included plugins for browsers. Being shocked or surprised at this is like being flabbergasted and croggled by Mozilla Corp adding a "know your rights" bar rather than a click through EULA in version 3.05. Or like the FSF including a getwchar() in libc.

      It is what it is.

    15. Re:You're right--convenience sucks by Plug · · Score: 4, Funny

      Sounds like a very uncomfortable place.

    16. Re:You're right--convenience sucks by davester666 · · Score: 3, Insightful

      Every once in a while, a PDF will render better in Acrobat Reader than Preview. But I haven't come across one in quite some time. I used to have Reader 5 as my default PDF reader on Mac OS X (years ago), because it was faster and more compatible than Preview (back then), but with Tiger and Leopard, Preview has totally kicked Reader to the curb.

      I would say, since version 8 (maybe even 7), Acrobat Reader has jumped the shark, with wacky 3D features, more DRM then you can shake a stick at, Javascript scripting, video and audio support, and now just throwing in AIR, just to artificially boost their install base. Adobe seems to have forgotten what their original reason for PDF was, and is now just throwing everything they can think of into it...

      --
      Sleep your way to a whiter smile...date a dentist!
    17. Re:You're right--convenience sucks by ConceptJunkie · · Score: 4, Funny

      Did you install Java to have it NOT work?

      Based on my experiences with Java on Linux, I always assumed Sun thought that's what I was trying to do.

      --
      You are in a maze of twisty little passages, all alike.
  3. Old by RockMFR · · Score: 5, Informative

    I mentioned this during the discussion about the Microsoft add-on three weeks ago. How is this news now?

  4. Stop this right now by AlterRNow · · Score: 3, Interesting

    Could Firefox add some sort of public/private key extensions signing so I can sign extensions I want to use? Then unsigned extensions wouldn't be loaded and this sort of thing could be stopped ( by the technical minded anyway ).

    --
    The disappearing pencil trick. Let me show you it.
    1. Re:Stop this right now by dmomo · · Score: 4, Funny

      Sounds like a great idea for an extension!

  5. Malware by MoZ-RedShirt · · Score: 3, Funny

    Watch out! It seems that some other malicious updaters installed IEtab and a twitter addon in your firefox, too!

    --
    Microsft spel chekar vor sail, worgs grate !!!
  6. Unlike Microsoft, this one benign and documented by salahx · · Score: 4, Informative

    All this plugin does is speed up loading of Java applets. Its benign, and Sun provides instructions on how to turn it off: http://www.java.com/en/download/help/quickstarter.xml .

  7. bitch, bitch, bitch. You wanted Java, right? by ClioCJS · · Score: 4, Insightful
    And of course if it asked you and it said no, complainers like you would be complaining about how Firefox doesn't properly support JAVA later.

    And of course, if you were a dumbass who didn't understand what extensions were, you might say No out of fear, and then later decide you don't like java. And then later decide buying an iPHone isn't that bad, because it doesn't support java, but java never works anyway.

    At some point, you have to let the machine work for you. Remember all the people who complained about windows asking your permission before doing anything possibly harmful? Seems like whether you ask people or not, someone is going to whine on either side of the fence.

    In a world of whiners, I'd rather have Javascript work on their browsers.

    There's enough problems with things BROKEN because people DON'T do automatic updates. Then when updates to happen automatically, people STILL whine.

    Can't win.

    --
    -Clio
    Karma: Bad (mostly from not giving a fuck)
    Blog: http://clintjcl.wordpress.com
    1. Re:bitch, bitch, bitch. You wanted Java, right? by db32 · · Score: 5, Insightful

      Java != Javascript.

      --
      The only change I can believe in is what I find in my couch cushions.
  8. Quickstarter.... by nvrrobx · · Score: 5, Insightful

    It helps preload the JVM so that any Java applets load faster.

    It's not some evil conspiracy.

    You told it to update your computer. It didn't tell you exactly what it was doing. Does Microsoft Update tell you everything it's going to touch?

    If you don't like it, run Linux, install SELinux and block everything by default.

    Not trying to sound like a dick, but this really is a non-issue.

  9. Re:some info, please by SatanicPuppy · · Score: 5, Informative

    It's an automatic update watcher that runs all the time in your taskbar and keeps your JRE up to date.

    It's an optional feature that is required by absolutely nothing, and one of the things it does is updates your browser. Apparently now it adds an extra update that does some prefetching that makes java load faster, and we must all riot because we didn't specifically ask for that one.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  10. Re:Obviously this is something you need.... by Anonymous Coward · · Score: 3, Interesting

    Look a lot of apps have agents that load on startup so that when you want them the visual startup time is much shorter, because it has been differed to when the system started up.

    Over the history of Java people have complained about how long the JVM startup time is. While Sun has made many improvements in this over the years, the FF add-on just assists this even more. When you launch FF and this add-on is enabled it initializes the JVM and the applet sub-system.

    This way if you go to a site that has an applet on it, it will appear and be function much more quickly.

  11. Re:Unlike Microsoft, this one benign and documente by zullnero · · Score: 4, Insightful

    Neither is benign. When you tamper with a customer's third party software, you 1. Ask them first, and 2. Let them back out easily. Microsoft and Sun did neither of these. Not only are they spitting on good software standards, they're spitting on their users by doing this.

  12. Re:Unlike Microsoft, this one benign and documente by KiloByte · · Score: 3, Interesting

    It preloads all the bloatness of Java, every single time, even if you installed it just for a single page you visited half a year ago.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  13. I don't see the problem. by argent · · Score: 3, Interesting

    There's lots of software that installs browser addons automatically, without even asking you. That's been normal and expected behavior for a decade, it's long since past time to raise Caine over this one.

    I think Sun should be accoladed for giving you the option to opt out.

    Ever try to install Acrobat without getting the browser plugin? You have to rummage around in the Acrobat directory and remove the plugin component or else EVERY TIME you run Acrobat the plugin will be reinstalled.

  14. Re:Obviously this is something you need.... by gbjbaanb · · Score: 3, Funny

    It's the same as IE and Office being preloaded with Windows so that they pop up instantly after your new 5 minute boot time.

    there, fixed that for you.

  15. There's a much simpler way by Rix · · Score: 3, Insightful

    Simply only allow them to be installed through Firefox. If one of these crapware installers wants to ad one, make it open Firefox with the xpi installer.

    And make it default to cancel.

    1. Re:There's a much simpler way by anaesthetica · · Score: 3, Insightful

      This is a security issue, but it has nothing to do with Firefox, its the user.

      That's the excuse we used to use with Windows too. But everyone has since realized that while you can never inoculate against dumb users, some software is inherently less secure because of the way it is designed. You're right that if users had perfect knowledge of what they were running, what they were installing, and what it all meant, then there would be no problem. Unfortunately that is not the case—in practice, people have limited knowledge about what they're running and what they're installing, as evidenced by the wild success of spyware and adware and malware. Tens of millions of users have malware running local code while logged in on admin-level accounts, the malware is running without their full knowledge, and this presents a wide open vector for attack.

      We can follow your model, in which we place the onus entirely on the user. And similar to abstinence-only sex ed, which ignores the well-demonstrated reality of human behavior, it will fail and Firefox will be exploited. Or we can follow my model, which adds another layer of security on the assumption that people do make mistakes and ill-informed decisions, and design around that. Firefox's good reputation will be preserved, with trivial hassle to the end user.

      --
      The Rise and Fall of Online Community