Oracle will continue to bundle 'crapware' with Java

Defends practice of making users opt out of toolbar; says ''not something Oracle started"

Oracle will not stop bundling what critics describe as "crapware" and "foistware" with its Java installer anytime soon, a company representative intimated last week.

The practice of offering up other software alongside Java updates, including emergency security updates to patch critical vulnerabilities, again came under fire last week as new reports surfaced of deceptive installation techniques.

During a conference call with leaders of the Java User Groups (JUG) last week, Doland Smith, who heads Oracle's OpenJDK team, cited contractual obligations that prevented him from discussing the bundling deal in detail. But he hinted that no changes were in the offing.

"When you have a commercial relationship like this, not only are you dealing with your [own] corporate policies on communication, and revenue recognition and all that kind of stuff, but you also have a commercial partnership and agreement that you have to abide by and follow," said Smith during the call.

Currently, the Java installer for Windows includes an offer for the browser toolbar. Unless users explicitly uncheck a box on the Java installation screen -- in other words, opt out -- the toolbar automatically downloads and installs, and the browser's default search engine changes to

That raised the ire of long-time Windows blogger Ed Bott of ZDNet, and also got the attention of Ben Edelman, an associate professor at Harvard and expert on adware, online fraud and Internet privacy.

In pieces published on January 22, both Bott and Edelman took aim at Oracle for bundling the toolbar with Java.

Bott found that the toolbar was not immediately installed, but waited 10 minutes after Java finished to kick in. "I've never seen a legitimate program with an installer that behaves this way," said Bott, who speculated that the technique was an attempt to hide the toolbar's installation from technically-astute users.

Edelman was also caustic in his criticism of Oracle and the toolbar installation, deeming the latter deceptive. Even worse, Edelman said, was that the offer was included with critical Java updates that patched recent "zero-day" vulnerabilities being exploited by criminals.

"The Java update is only needed as a result of a serious security flaw in Java," said Edelman. "It is troubling to see Oracle profit from this security flaw by using a security update as an opportunity to push users to install extra advertising software."

By bundling adware with its security updates, Oracle is teaching users to distrust its patching process, Edelman added.

Oracle's Smith disagreed.

"It's not specifically a security issue. It's a commercial, business-side issue," he said during last week's call. "The reason it's tied with security is that it's showing up when we push out new installers on the Windows platform. Really, it's not related to security directly."

Smith also defended the practice by saying Oracle had inherited the deal when it acquired Sun Microsystems, the creator of Java, in 2010. "This is not a new business, this is not something that Oracle started," Smith said. "This is a business that Sun initiated a long time ago."

Sun had bundled third-party software with Java since at least 2005, when it offered a Google toolbar. In the following years, Sun made similar arrangements with Microsoft and Yahoo, before switching to

While Smith stopped far short of saying that Oracle would drop the bundling, he tried to sooth obviously ruffled feathers among the JUG community. "It's something that we are looking at and constantly evaluating whether it's worth doing," he said. "What I can say is, we hear you loud and clear. We're aware of the concerns and we're looking at what we can do moving forward."

He also declined to give the JUG leaders an explanation for the odd installation behavior of the toolbar, even as he agreed with another caller that it was "squirrelly."

"I agree that on the surface, when you look at, it's like, 'Why is it that way?'" Smith said. "It could be that we are never able to give a satisfactory answer. But I hope at some point we can clarify what that's about and why." did not immediately reply to a request for comment on the toolbar's installation process and the status of its deal with Oracle.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityMalware and VulnerabilitiesAsk.comOracle

More about AppleGoogleMicrosoftOracleSun MicrosystemsTopicYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place