MSN Toolbar included with Sun Java Security 'updates'

Discussion in 'Windows Vista Security' started by MowGreen [MVP], Dec 9, 2008.

  1. Beware of the *opt-out* behavior of Sun's java automatic updater. In the
    US, at least, the MSN toolbar comes PREchecked [opt-out] and will
    install along with purported java 'security' updates. Said 'security'
    updates are presented as the latest version of Sun's java runtime.

    Including crappy toolbars with security updates as an opt-out is a
    REALLY dumb, shortsighted decision.
    Shame on MS for doing so.

    As to Sun's java, who needs it ?
    If a site requires java, then avoid it like the plague.
    *Especially* any site that does financial transactions.


    MowGreen [MVP 2003-2009]
    ===============
    *-343-* FDNY
    Never Forgotten
    ===============
     
    MowGreen [MVP], Dec 9, 2008
    #1
    1. Advertisements

  2. MowGreen [MVP]

    Leonard Grey Guest

    I don't like pre-checked opt-in boxes any more than you, but I wonder
    why you happen to pick on Java, when this practice is widespread among
    software providers, and why particularly Java-employing websites,
    especially financial websites.

    Sounds like you have a bone to pick with an unnamed Java-employing
    financial website, and because of that I should avoid software that has
    served me well for years?
     
    Leonard Grey, Dec 9, 2008
    #2
    1. Advertisements

  3. MowGreen [MVP]

    Terry R. Guest

    The date and time was 12/9/2008 1:36 PM, and on a whim, MowGreen [MVP]
    pounded out on the keyboard:
    Hi Mow,

    Is that MS's fault? When I downloaded Java 6.11 the day it was
    released, I had the Yahoo toolbar option. When I downloaded it again
    the day after (on another network), the Open Office option was
    presented. It appears Sun is bundling these toolbars only on some
    install files. On both of my downloads, I downloaded the offline (full)
    version.


    --
    Terry R.

    ***Reply Note***
    Anti-spam measures are included in my email address.
    Delete NOSPAM from the email address after clicking Reply.
     
    Terry R., Dec 9, 2008
    #3
  4. Ah, Steve:

    Many hardware firewalls, such as Cisco, require Java to log into them.

    Tom
    : As to Sun's java, who needs it ?
    : If a site requires java, then avoid it like the plague.
    : *Especially* any site that does financial transactions.
    :
    :
    : MowGreen [MVP 2003-2009]
    : ===============
    : *-343-* FDNY
    : Never Forgotten
    : ===============
    :
    :
    :
    :
    :
     
    Tom [Pepper] Willett, Dec 9, 2008
    #4
  5. From: "Terry R." <>

    | The date and time was 12/9/2008 1:36 PM, and on a whim, MowGreen [MVP]
    | pounded out on the keyboard:





    | Hi Mow,

    | Is that MS's fault? When I downloaded Java 6.11 the day it was
    | released, I had the Yahoo toolbar option. When I downloaded it again
    | the day after (on another network), the Open Office option was
    | presented. It appears Sun is bundling these toolbars only on some
    | install files. On both of my downloads, I downloaded the offline (full)
    | version.



    A better place to download is...
    http://java.sun.com/javase/downloads/index.jsp

    Then you won't download the version with the Yahoo Toolbar.

    jre-6u11-windows-i586-p-s.exe --> contains the toolbar

    jre-6u11-windows-i586-p.exe --> does not contain the toolbar
     
    David H. Lipman, Dec 10, 2008
    #5
  6. From: "MowGreen [MVP]" <>

    | Beware of the *opt-out* behavior of Sun's java automatic updater. In the
    | US, at least, the MSN toolbar comes PREchecked [opt-out] and will
    | install along with purported java 'security' updates. Said 'security'
    | updates are presented as the latest version of Sun's java runtime.

    | Including crappy toolbars with security updates as an opt-out is a
    | REALLY dumb, shortsighted decision.
    | Shame on MS for doing so.

    | As to Sun's java, who needs it ?
    | If a site requires java, then avoid it like the plague.
    | *Especially* any site that does financial transactions.


    | MowGreen [MVP 2003-2009]
    | ===============
    | *-343-* FDNY
    | Never Forgotten
    | ===============


    There are some organizations, like ours, that REQUIRE Sun Java !

    Who needs it -- We do.
     
    David H. Lipman, Dec 10, 2008
    #6
  7. MowGreen [MVP]

    Terry R. Guest

    The date and time was 12/9/2008 5:13 PM, and on a whim, David H. Lipman
    pounded out on the keyboard:
    I only download from the Java site, and the Yahoo toolbar was included
    the first day it was released.

    --
    Terry R.

    ***Reply Note***
    Anti-spam measures are included in my email address.
    Delete NOSPAM from the email address after clicking Reply.
     
    Terry R., Dec 10, 2008
    #7
  8. | I only download from the Java site, and the Yahoo toolbar was included
    | the first day it was released.

    I noted at least two download sites. The URL cited will provide the offline installation
    file "jre-6u11-windows-i586-p.exe" which doesn't bundle the toolbar(s) while the other
    site offers "jre-6u11-windows-i586-p-s.exe" which does bundle the toolbar.

    This isn't new and I have seen that for many versons.
     
    David H. Lipman, Dec 10, 2008
    #8
  9. MowGreen [MVP]

    Terry R. Guest

    The date and time was 12/10/2008 3:33 AM, and on a whim, David H. Lipman
    pounded out on the keyboard:
    As I said, I also downloaded the offline install, both days, both from
    the Java site. They were different.

    Just the messenger.

    --
    Terry R.

    ***Reply Note***
    Anti-spam measures are included in my email address.
    Delete NOSPAM from the email address after clicking Reply.
     
    Terry R., Dec 10, 2008
    #9
  10. MowGreen [MVP]

    Vadim Rapp Guest

    Including crappy toolbars with security updates as an opt-out is a REALLY
    It's amazing though how many people apparently don't see any problem with
    this. In the "service" economy increasingly based on brainwashing and
    deception rather than competence and functionality, advertising is sacred
    cow and is welcome in any clothes, isn't it.
     
    Vadim Rapp, Dec 10, 2008
    #10
  11. MowGreen [MVP]

    Vadim Rapp Guest

    Is that MS's fault?

    yes, it is - second after Sun. Any advertiser does have control on the
    places where their ads appear. If Microsoft ads suddenly showed up on
    low-quality sites, Microsoft most likely would take steps to protect their
    image.

    Though, if those were MSN ads, maybe they would not.
     
    Vadim Rapp, Dec 10, 2008
    #11
  12. MowGreen [MVP]

    Anteaus Guest

    A lot of people confuse Sun Java and Javascript.

    The two are unrelated, other than in their sharing a C-like syntax. They are
    sufficiently different that Javascript code will generally not run in Java,
    or vice versa.

    Having cleared that one up...

    Javascript is generally a function of the browser itself. It requires no
    plugin. It is not accessible outside of the webpage environment.

    Java is a 'runtime environment' which becomes part of the operating system,
    not unlike the .NET environment. Hence it is not strictly speaking a browser
    plugin, but an OS extension. A browser-plugin DLL allows this OS extension to
    be accessed from within webpages. Hopefully, with 'sandboxing' to prevent
    other off-limits parts of the computer being accessed by the webpage code.

    Most websites don't actually require either. Some site that use dynamic
    menus (mine included) require Javascript.

    BUT, many websites use CSS to control layout, and on these the layout will
    go to pieces if Javascript is turned off.

    They still don't need Sun Java, though. ;-)

    The proportion of websites which use Sun Java is miniscule. At a very rough
    guess, one in ten thousand. I don't as a rule install Sun Java - it isn't on
    this machine- and I cannot even recall when I last encountered a site which
    complained about its absence.

    Yet, Java represents a considerable security risk for two reasons:

    Until recently, Sun Java updates failed to remove old, vulnerable versions.
    Since a Java program can specify which version to use, this meant that even
    fully-patched computers were STILL VULNERABLE to Java-coded malware.

    Several exploits using buffer-overflows in other software, e.g. Flash,
    Quicktime, rely on Java to actually execute the malware. Thus even if Java
    isn't at fault per se, its presence still reduces your computer's security.

    As for Cisco routers, yes, they use a Java-based GUI known as IOS. Only
    thing is, this GUI interface is so unbelievably slow and unstable that no-one
    worthy of the title of Cisco engineer uses it, preferring to write a text
    config-file and upload it to the router manually. I reckon that Cisco would
    drastically expand their userbase if they got rid of this hopeless software
    and used a conventional HTTP config-page, as does almost every other router
    manufacturer on the planet.

    The other time you need Java, of coure, is for scripting in Open Office.
     
    Anteaus, Dec 10, 2008
    #12
  13. No bone to pick with any financial site that is intelligent enough to
    understand the risk involved when using java. My financial sites do NOT
    use java. None of my systems have any java runtimes installed.

    For some history on why I refuse to allow java on my systems ...
    in February 05 I contacted Sun and inquired as to the security risk of
    leaving older, vulnerable versions on a system when a 'new' runtime was
    pushed out. They admitted that it was a security risk and did NOTHING
    about it until just recently. Do the math. How many systems were exposed
    to a vulnerability that Sun KNEW existed for over 3 years ?

    Every one of their Security bulletins has this at the end of them,
    neatly hidden from Users who visit java.com that were totally unaware of
    WHY the older, vulnerable versions should be uninstalled:

    http://sunsolve.sun.com/search/document.do?assetkey=1-26-244987-1
    I've seen 6 or more JSE's installed on clients' systems. Heck, on one
    client's system there were 10 RUNTIMES installed. At 115 MB each, that's
    a HUGE amount of disk space being wasted, isn't it ?

    I'm not the only one that has been ranting about Sun and their updating
    mechanism:

    Ghosts of Java Haunt Users
    http://blog.washingtonpost.com/securityfix/2008/07/remnant_java_versions_again_po.html

    Check out that article, please. Brian Krebs has been on this for as long
    as I have.

    If another vendor ignored their own SECURITY suggestions, refused to fix
    their auto updating mechanism, then I'd be flaming them, too ... trust me.

    Now, as to Microsoft's decision to include the MSN toolbar with newer
    versions of Sun's java runtime ... MS has made a tremendous improvement
    as to security in their software and OS'. It appears that they are
    willing to go backwards in regards to security when they include the MSN
    toolbar as an OPT-OUT when a newer JRE is pushed out that, in reality,
    is a SECURITY update that addresses known vulnerabilities in the
    previous runtimes. I'd venture an educated guess that 99% of newer
    runtimes came out to address Critical vulns.

    This will affect Users who are under the impression that anything MS
    offers 'should be installed'. I've seen this first hand on clients'
    systems when they installed what was purported to be a security update
    from a 3rd party vendor that included unnecessary crap ... like Adobe
    trying to sneak the Google toolbar along with Shockwave security
    updates. The clients' were more then annoyed and became reticent to
    install subsquent updates for Flash and Shockwave. Guess what happened
    to them eventually ?

    All it will take is for Users to get peeved about the installation of an
    unnecessary toolbar, or, for something to go wrong during installation
    of a JSE that causes serious issues.
    Then Users will become reticent when their systems are offered Security
    updates from Automatic or Windows Update.
    There's enough FUD concerning updating already; does MS really need to
    stoke the 'tin foil' crowd ?

    So, in effect, MS is stating that ad revenue trumps security.
    Sorry, that irks me to no end. I've made my feelings known to them but
    .... I have a strong suspicion that Marketing trumps Security these days.
    So, I'm not keeping my thoughts to myself any longer and want others to
    know WHY including toolbars and other crap along with SECURITY updates
    is a shortsighted and counterproductive practice.

    Cabiche, Leonard ?


    MowGreen [MVP 2003-2009]
    ===============
    *343-* FDNY
    Never Forgotten
    ================


     
    MowGreen [MVP], Dec 10, 2008
    #13
  14. Et tu, David <w>

    ORGANIZATIONS know how to deal with securing Sun's JSE, their networks,
    workstations, and servers.
    Does the Average User know that, too ? Hardly.
    Sorry, Sun is NOT needed by *most* Average Users.


    BTW, now that Sun's auto updating mechanism now removes older,
    vulnerable versions, are you using the Static configuration method to
    retain them ?
    http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jre_install.html


    MowGreen [MVP 2003-2009]
    ===============
    *-343-* FDNY
    Never Forgotten
    ===============
     
    MowGreen [MVP], Dec 10, 2008
    #14
  15. Perhaps MS will allow Sun to use their updating pipeline to push out
    JSEs issued to address vulns in the previous JSE. Then they'll be
    offering purported security updates via AU|MU|WU that include the MSN
    toolbar and the blame can be laid on Sun.
    Think of the revenue from that ... and then think about how the Justice
    Dept. would react. <eg>

    MowGreen [MVP 2003-2009]
    ===============
    *-343-* FDNY
    Never Forgotten
    ===============
     
    MowGreen [MVP], Dec 10, 2008
    #15
  16. From: "MowGreen [MVP]" <>




    | Et tu, David <w>

    | ORGANIZATIONS know how to deal with securing Sun's JSE, their networks,
    | workstations, and servers.
    | Does the Average User know that, too ? Hardly.
    | Sorry, Sun is NOT needed by *most* Average Users.


    | BTW, now that Sun's auto updating mechanism now removes older,
    | vulnerable versions, are you using the Static configuration method to
    | retain them ?
    | http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jre_install.html


    | MowGreen [MVP 2003-2009]
    | ===============
    | *-343-* FDNY
    | Never Forgotten
    | ===============

    Our situation is complex and we are not using any static configuration method. From
    periodic and required training to web systems to JInitiator, Sun Java is required. I too
    have seen as many as eight versions of Sun Java on our platforms. I manually remove them
    all and install the latest version. I limit the cache to 50MB (1GB is the default, are
    they joking ?) and I will disable the Quick Start service. We can't have additional open
    ports lowering the IA level of our systems.

    All toolbars are forbidden. Yahoo, Google, MSN, etc. If the JavaUpdateScheduler is now
    downloading bundled toolbars that is a *big* problem!

    On another note...
    Did you know that Adobe Acrobat Pro v9 bundles JRE v5 update 11 ?
    "C:\Program Files\Adobe\Acrobat 9.0\Designer 8.2\jre\bin\java.exe"

    Why can't they just rely on SUN JRE installed on the OS ?
    Why do they bundle a KNOWN vulnerable version ?

    I have opened a case number with Adobe on this issue. They NEVER responded.
     
    David H. Lipman, Dec 11, 2008
    #16
  17. From: "MowGreen [MVP]" <>

    | Perhaps MS will allow Sun to use their updating pipeline to push out
    | JSEs issued to address vulns in the previous JSE. Then they'll be
    | offering purported security updates via AU|MU|WU that include the MSN
    | toolbar and the blame can be laid on Sun.
    | Think of the revenue from that ... and then think about how the Justice
    | Dept. would react. <eg>

    | MowGreen [MVP 2003-2009]
    | ===============
    | *-343-* FDNY
    | Never Forgotten
    | ===============


    Think about how SUN had an agreement with Microsoft for SUN Java to be be provided to
    Microsoft and Microsoft violated the terms of the agreement and SUN sued Microsoft and MS
    lost !
     
    David H. Lipman, Dec 11, 2008
    #17
  18. Thanks for mentioning this again, I was wondering if there was any
    response. A vulnerable program in a known location is a very bad
    thing securitywise.
     
    FromTheRafters, Dec 11, 2008
    #18
  19. MowGreen [MVP]

    Terry R. Guest

    The date and time was 12/10/2008 4:10 PM, and on a whim, David H. Lipman
    pounded out on the keyboard:
    Blackberry Professional for Exchange was installed on a server at a
    network I admin. Java 5.11 was also installed. I updated to 6.11 and
    the software wouldn't work! Why are they using versions so old?

    --
    Terry R.

    ***Reply Note***
    Anti-spam measures are included in my email address.
    Delete NOSPAM from the email address after clicking Reply.
     
    Terry R., Dec 11, 2008
    #19
  20. From: "FromTheRafters" <>


    | Thanks for mentioning this again, I was wondering if there was any
    | response. A vulnerable program in a known location is a very bad
    | thing securitywise.

    I brought it up on the semi-private Adobeforums and they were more interested in the URLs
    in my signature calling them spam and my quoting those I responded to.
     
    David H. Lipman, Dec 11, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.