Re: [FD] Java 8u40 released: why?

[James Hodgkinson]

Nick,

Nowhere in the quoted text or my comments did it say it was a forced option, 
only that it “appeared” in the update; this thread started with questions as to 
whether there was any actual changes with the version bump, and I was offering 
a possibility.

James





On 8 March 2015 at 9:07:41 am, Nick FitzGerald (n...@virus-l.demon.co.uk) wrote:

James Hodgkinson wrote:  

 Maybe the major change is that they're including the Ask toolbar in  
 all releases now, not just the windows one? :)  

Indeed!  

 The unwelcome Ask extension shows up as part of the installer if a Mac  
 user downloads Java 8 Update 40 for the Mac. In my tests on a Mac  
 running that latest release of OS X, the installer added an app to the  
 current browser, Chrome version 41...  

So you did not notice the explanation that this would happen, right  
there on the continue the install permission dialog?  

The one we can see a screenshot of at, say:  

https://grahamcluley.com/2015/03/oracle-java-mac/  

Your description rather strongly implies that you have no choice in  
getting the Ask toolbar, which is untrue.  

I understand that Mac users will likely not be _accustomed_ to such  
permissions for _additional_ software, over and above the actual  
software that they thought they were installing, being requested, BUT  
unlike your description above and Ed Bott's at ZDNet (referenced in  
another post in this thread), the user is actually given the choice to  
not install the extra offer.  

Of course, questions as to the desirability of the option being  
pre-selected, and the possibly less than fully transparent directions  
about the necessity of the offer are much the same with the Mac version  
and the Windows version, whose permission dialog you can see here:  

http://i.imgur.com/82Tp2pp.png?1  




Regards,  

Nick FitzGerald  



___  
Sent through the Full Disclosure mailing list  
https://nmap.org/mailman/listinfo/fulldisclosure  
Web Archives  RSS: http://seclists.org/fulldisclosure/  

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

Re: [FD] Java 8u40 released: why?

[Dave Warren]

On 2015-03-07 15:00, Nick FitzGerald wrote:

So you did not notice the explanation that this would happen, right
there on the continue the install permission dialog?

The one we can see a screenshot of at, say:

https://grahamcluley.com/2015/03/oracle-java-mac/

Your description rather strongly implies that you have no choice in
getting the Ask toolbar, which is untrue.

I understand that Mac users will likely not be _accustomed_ to such
permissions for _additional_ software, over and above the actual
software that they thought they were installing, being requested, BUT
unlike your description above and Ed Bott's at ZDNet (referenced in
another post in this thread), the user is actually given the choice to
not install the extra offer.

Of course, questions as to the desirability of the option being
pre-selected, and the possibly less than fully transparent directions
about the necessity of the offer are much the same with the Mac version
and the Windows version, whose permission dialog you can see here:



Unfortunately for Apple and for Mac users in general, Mac users are 
going to have to learn that the main security issue on Windows exists in 
OSX too: The user. The only real thing that has kept OSX safe from 
user-installed malware until now is the relative obscurity of OSX; as 
OSX gains enough market share to be worth malware author's time, we'll 
see more and more malware, ranging from bundleware that replaces user 
preference with a particular corporate interest, right up to full on 
trojans.



--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/