MSN Toolbar included with Sun Java Security 'updates'

[David H. Lipman]

From: "Terry R." <[email protected]>


| Blackberry Professional for Exchange was installed on a server at a
| network I admin. Java 5.11 was also installed. I updated to 6.11 and
| the software wouldn't work! Why are they using versions so old?

| --
| Terry R.

The idiots of these companies need to work off a centralized version of SUN Java and NOT
the concept of installing old versions modified to their needs.

 

[Leonard Grey]

In the first place, I believe the word is /capisce/ but I'll defer to
the Italians in the group.

However you describe it, you have a bone to pick. No big deal...everyone
has a bone to pick. But I don't post (or cross-post) to a public
newsgroup to tell people to stop using any and all Zone Alarm products
just because I disagree with the way Zone Alarm conducts its business.

And even if I were so inclined, I would do it in a newsgroup for Zone Alarm.
---
Leonard Grey
Errare humanum est

No bone to pick with any financial site that is intelligent enough to
understand the risk involved when using java. My financial sites do NOT
use java. None of my systems have any java runtimes installed.

For some history on why I refuse to allow java on my systems ...
in February 05 I contacted Sun and inquired as to the security risk of
leaving older, vulnerable versions on a system when a 'new' runtime was
pushed out. They admitted that it was a security risk and did NOTHING
about it until just recently. Do the math. How many systems were exposed
to a vulnerability that Sun KNEW existed for over 3 years ?

Every one of their Security bulletins has this at the end of them,
neatly hidden from Users who visit java.com that were totally unaware of
WHY the older, vulnerable versions should be uninstalled:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-244987-1

Note: When installing a new version of the product from a source other
than a Solaris patch, it is recommended that the old affected versions
be removed from your system. To remove old affected versions on the
Windows platform, please see:

http://java.com/en/download/help/uninstall_java.xml

I've seen 6 or more JSE's installed on clients' systems. Heck, on one
client's system there were 10 RUNTIMES installed. At 115 MB each, that's
a HUGE amount of disk space being wasted, isn't it ?

I'm not the only one that has been ranting about Sun and their updating
mechanism:

Ghosts of Java Haunt Users
http://blog.washingtonpost.com/securityfix/2008/07/remnant_java_versions_again_po.html


Check out that article, please. Brian Krebs has been on this for as long
as I have.

If another vendor ignored their own SECURITY suggestions, refused to fix
their auto updating mechanism, then I'd be flaming them, too ... trust me.

Now, as to Microsoft's decision to include the MSN toolbar with newer
versions of Sun's java runtime ... MS has made a tremendous improvement
as to security in their software and OS'. It appears that they are
willing to go backwards in regards to security when they include the MSN
toolbar as an OPT-OUT when a newer JRE is pushed out that, in reality,
is a SECURITY update that addresses known vulnerabilities in the
previous runtimes. I'd venture an educated guess that 99% of newer
runtimes came out to address Critical vulns.

This will affect Users who are under the impression that anything MS
offers 'should be installed'. I've seen this first hand on clients'
systems when they installed what was purported to be a security update
from a 3rd party vendor that included unnecessary crap ... like Adobe
trying to sneak the Google toolbar along with Shockwave security
updates. The clients' were more then annoyed and became reticent to
install subsquent updates for Flash and Shockwave. Guess what happened
to them eventually ?

All it will take is for Users to get peeved about the installation of an
unnecessary toolbar, or, for something to go wrong during installation
of a JSE that causes serious issues.
Then Users will become reticent when their systems are offered Security
updates from Automatic or Windows Update.
There's enough FUD concerning updating already; does MS really need to
stoke the 'tin foil' crowd ?

So, in effect, MS is stating that ad revenue trumps security.
Sorry, that irks me to no end. I've made my feelings known to them but
... I have a strong suspicion that Marketing trumps Security these days.
So, I'm not keeping my thoughts to myself any longer and want others to
know WHY including toolbars and other crap along with SECURITY updates
is a shortsighted and counterproductive practice.

Cabiche, Leonard ?


MowGreen [MVP 2003-2009]
===============
*343-* FDNY
Never Forgotten
================

I don't like pre-checked opt-in boxes any more than you, but I wonder
why you happen to pick on Java, when this practice is widespread among
software providers, and why particularly Java-employing websites,
especially financial websites.

Sounds like you have a bone to pick with an unnamed Java-employing
financial website, and because of that I should avoid software that
has served me well for years?
---
Leonard Grey
Errare humanum est

Beware of the *opt-out* behavior of Sun's java automatic updater. In
the US, at least, the MSN toolbar comes PREchecked [opt-out] and will
install along with purported java 'security' updates. Said 'security'
updates are presented as the latest version of Sun's java runtime.

Including crappy toolbars with security updates as an opt-out is a
REALLY dumb, shortsighted decision.
Shame on MS for doing so.

As to Sun's java, who needs it ?
If a site requires java, then avoid it like the plague.
*Especially* any site that does financial transactions.


MowGreen [MVP 2003-2009]
===============
*-343-* FDNY
Never Forgotten
===============

 

[David H. Lipman]

From: "Leonard Grey" <[email protected]>

| In the first place, I believe the word is /capisce/ but I'll defer to
| the Italians in the group.

| However you describe it, you have a bone to pick. No big deal...everyone
| has a bone to pick. But I don't post (or cross-post) to a public
| newsgroup to tell people to stop using any and all Zone Alarm products
| just because I disagree with the way Zone Alarm conducts its business.

| And even if I were so inclined, I would do it in a newsgroup for Zone Alarm.
| ---
| Leonard Grey
| Errare humanum est

Except for the suspicions of a backdoor in ZoneAlarm inserted by (censored), it is
intended to protect a PC.

On the otherhand, SUN Java is responsible for *MANY* people being infected with malware
due to they're overwhelming number and consistency of vulnerabilities.

 

[Leonard Grey]

So what? You could say the same thing about Microsoft software
("responsible for *MANY* people being infected with malware
due to [their] overwhelming number and consistency of vulnerabilities.")

On the other hand, I've been using and updating Java (and Microsoft
software) forever and yet none of my computers have ever been infected
by any type of malware.

All software is riddled with vulnerabilities waiting to be exploited, so
let's not focus on the villain-of-the-month. Or maybe I'll get out my
soapbox for Comcast. Urrr...don't get me started.

 

[Ken Blake, MVP]

In the first place, I believe the word is /capisce/ but I'll defer to
the Italians in the group.

I'm not Italian, but I speak some Italian. Yes, your spelling is
correct. It's the second person singular of the verb "capire." And, by
the way, it's pronounced ka-PEE-shay.

 

[FromTheRafters]

From: "FromTheRafters" <[email protected]>


| Thanks for mentioning this again, I was wondering if there was any
| response. A vulnerable program in a known location is a very bad
| thing securitywise.

I brought it up on the semi-private Adobeforums and they were more
interested in the URLs
in my signature calling them spam and my quoting those I responded to.

I suppose that is a typical response in that forum. Too bad. Good thing
that sort of thing never happens here (pick one).

[snipped the SPAM]

D

 

[~BD~]

There are some organizations, like ours, that REQUIRE Sun Java !

Who needs it -- We do.

--

I've snipped the SPAM too!

If you were to tell us the name of the organization for which you work I
might better understand your general attitude, Mr Lipman.

Does it have a web site to which I, and other readers, may refer? If so,
maybe you should use it as a replacement signature. What do *you* think?

BDave

--

 

[David H. Lipman]

A conformative reply in the Adobeforums would be like this one.

No quoting (or very little).

 

[David H. Lipman]

From: "~BD~" <[email protected]>


| If you were to tell us the name of the organization for which you work I
| might better understand your general attitude, Mr Lipman.

| Does it have a web site to which I, and other readers, may refer? If so,
| maybe you should use it as a replacement signature. What do *you* think?

| BDave

My signature is fully conforming to Usenets standards as it is less that four lines long
and URLs in signatures are not spam.

The Adobeforums is semi-private. That is you must authenticate to post to the the
Adobeforums (have and account and password). It is semi-private because it has a one-way
propogation to Usenet. Posts and replys made at the Adobeforums propogate to Usenet.
Posts and replys made on Usenet do not propogate back to the Adobeforums. Therefore they
DO have the right to set limiting rules that are non conforming to Usenet standards.

As to the organization for which I work...
That's none of you f'n business and is NOT for public consumption, especially in an
International forum. There are reasons why this *must* be done and I can't even explain
why because it falls into the category of too much information.

Yes, we have web sites. There are Wikis on us too. Some of "our" web sites are public.
Other web sites you and other not in the "family" can not access, them even at the root
level.

 

[MowGreen [MVP]]

So what? You could say the same thing about Microsoft software
("responsible for *MANY* people being infected with malware
due to [their] overwhelming number and consistency of vulnerabilities.")

On the other hand, I've been using and updating Java (and Microsoft
software) forever and yet none of my computers have ever been infected
by any type of malware.

All software is riddled with vulnerabilities waiting to be exploited, so
let's not focus on the villain-of-the-month. Or maybe I'll get out my
soapbox for Comcast. Urrr...don't get me started.

I've already filed a complaint about Comcast with the FCC which they are
'still investigating'

capiche; ceviche ... one understands dead fish, sí ?


MowGreen [MVP 2003-2009]
===============
*-343-* FDNY
Never Forgotten
===============

 

[Leonard Grey]

Si, si amigo ;-)
---
Leonard Grey
Errare humanum est

So what? You could say the same thing about Microsoft software
("responsible for *MANY* people being infected with malware
due to [their] overwhelming number and consistency of vulnerabilities.")

On the other hand, I've been using and updating Java (and Microsoft
software) forever and yet none of my computers have ever been infected
by any type of malware.

All software is riddled with vulnerabilities waiting to be exploited,
so let's not focus on the villain-of-the-month. Or maybe I'll get out
my soapbox for Comcast. Urrr...don't get me started.

I've already filed a complaint about Comcast with the FCC which they are
'still investigating'

capiche; ceviche ... one understands dead fish, sí ?


MowGreen [MVP 2003-2009]
===============
*-343-* FDNY
Never Forgotten
===============

 

[Anteaus]

Toolbars and system-tray icons are a malaise of present-day computing. For
some reason best known to coders, it seems that every piece of software has
to (a) add a toolbar to browsers, and (b) install a memory-resident portion
to support a system-tray icon, even if the software only needs to run every
once-in-a-long-while to perform its task. A large part of the work of the
system-installer is in cleaning-out this garbage from new computers.

 

[David H. Lipman]

From: "Anteaus" <[email protected]>

| Toolbars and system-tray icons are a malaise of present-day computing. For
| some reason best known to coders, it seems that every piece of software has
| to (a) add a toolbar to browsers, and (b) install a memory-resident portion
| to support a system-tray icon, even if the software only needs to run every
| once-in-a-long-while to perform its task. A large part of the work of the
| system-installer is in cleaning-out this garbage from new computers.

This has always been the case. Today it is system tray-icons. Yesterday, in DOS, it was
Terminate and Stay Redsident.

 

[FromTheRafters]

From: "Anteaus" <[email protected]>

| Toolbars and system-tray icons are a malaise of present-day computing.
For
| some reason best known to coders, it seems that every piece of software
has
| to (a) add a toolbar to browsers, and (b) install a memory-resident
portion
| to support a system-tray icon, even if the software only needs to run
every
| once-in-a-long-while to perform its task. A large part of the work of
the
| system-installer is in cleaning-out this garbage from new computers.

This has always been the case. Today it is system tray-icons. Yesterday,
in DOS, it was
Terminate and Stay Redsident.

I recall having a discussion long ago about trend GUI's had for the
completely
unnecessary, precious cycle stealing, animations being displayed during move
or
copy operations. It's just one of those things - a bigger garage ends up
holding
a greater amount of crap - in fact you would think that since it was
apparenty
*designed* to hold more crap, you are obliged to collect more just to make
it
happy. Beyond that, evidently, you opt in for a crap-preloaded (happy)
garage
and pay the installer to remove most of it.

)

 

[Vadim Rapp]

This has always been the case. Today it is system tray-icons. Yesterday,

in DOS, it was
Terminate and Stay Redsident.

I'm sure there's difference in the intention. TSR was still for some
practical purposes, important or not, and was invisible. The purpose of
today's tray icon, as I understand, is usually to remind the user about the
"value-added" vendor and create the hope of buying full version of the junk
supplied with the system. What's most remarkable is not even the deception
itself but the fact that the vendor actually believes that this marketing
idiocy is good business and promotes their title. Some users probably indeed
buy it - the same effect of big numbers as with any spam sent to millions.
One notable example is this company Hilgraeve that Microsoft have been
licensing lauphable HyperTerminal from for X years - they still do exist,
and it's easy to figure out why.

 

[Vadim Rapp]

Toolbars and system-tray icons are a malaise of present-day computing. For
some reason best known to coders, it seems that every piece of software
has
to (a) add a toolbar to browsers, and (b) install a memory-resident
portion
to support a system-tray icon, even if the software only needs to run
every
once-in-a-long-while to perform its task.

They believe it's good marketing. The interesting question is who is more
stupid and who is paying whom - "value-added" vendors to the system
integrator for allowing their junk into the system because they believe it's
good marketing, or integrator to the vendors because it believes that the
junk actually adds value to the system.

 

[David H. Lipman]

| I'm sure there's difference in the intention. TSR was still for some
| practical purposes, important or not, and was invisible. The purpose of
| today's tray icon, as I understand, is usually to remind the user about the
| "value-added" vendor and create the hope of buying full version of the junk
| supplied with the system. What's most remarkable is not even the deception
| itself but the fact that the vendor actually believes that this marketing
| idiocy is good business and promotes their title. Some users probably indeed
| buy it - the same effect of big numbers as with any spam sent to millions.
| One notable example is this company Hilgraeve that Microsoft have been
| licensing lauphable HyperTerminal from for X years - they still do exist,
| and it's easy to figure out why.


Nope. Its the same. Its a program "stub" in memoy.