Not the software you're looking for —

How Java dumps useless add-ons and toolbars on PC users

Java is the newly crowned "king of foistware."

Remember the Ask search engine? Oracle sure does—and by extension, so do Java users. Oracle has taken the practice of bundling useless add-ons and toolbars with legitimate software to new heights while collecting a commission each time it tricks a user into installing an Ask toolbar.

That's what Windows expert and legendary skeptic Ed Bott of ZDNet reports after examining Java's installation and update practices. Bott has done extensive reporting on "foistware," previously crowning Adobe and Skype as the worst offenders. But over the past year, Adobe and Skype have reformed themselves a little bit, while Oracle's Java now deserves the crown for "king of foistware," he wrote today.

"The evidence against Oracle is overwhelming," Bott wrote, continuing:

  • When you use Java’s automatic updater to install crucial security updates for Windows, third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
  • With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naïve enough to trust Java’s 'recommendation,' you end up with unwanted software on your PC.
  • IAC, which partners with Oracle to deliver the Ask toolbar, uses deceptive techniques to install its software. These techniques include social engineering that appears to be aimed at both novices and experienced computer users, behavior that may well be illegal in some jurisdictions.
  • The Ask.com search page delivers inferior search results and uses misleading and possibly illegal techniques to deceive visitors into clicking paid ads instead of organic search results.

Installing Java on a Windows PC for the first time also installs an Ask toolbar into Internet Explorer, Chrome, and Firefox, and makes Ask the user's default search provider, unless a box is unchecked:

The same happens when you install Java security updates. Ask sort of hides its actions by delaying installation for 10 minutes, so it won't show up in the Control Panel's "Programs and Features" list right away. "I’ve never seen a legitimate program with an installer that behaves this way," Bott wrote.

Bott did his sleuthing in conjunction with Harvard professor Ben Edelman, who studies deceptive software practices. Edelman weighed in with an extensive analysis of his own today. Noting a recent update to Java to fix a security problem, he wrote "It is troubling to see Oracle profit from this security flaw by using a security update as an opportunity to push users to install extra advertising software. … A security update should never serve as an opportunity to push additional software." The Ask installation "takes over default search, address bar search, and error handling," Edelman further notes.

The Ask bundling with Java isn't new, but Bott notes that frequent security updates necessitated by Java flaws give users more opportunities to accidentally install the toolbar.

If all of this feels very "old-school," it's because major software companies are generally moving away from these sorts of annoying practices. Adobe and Skype have stopped some of their worst bundling practices, and the newest versions of IE, Firefox, and Chrome have ways to block new add-ons by default.

Channel Ars Technica