lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 08 Mar 2015 12:00:03 +1300
From: "Nick FitzGerald" <nick@...us-l.demon.co.uk>
To: <fulldisclosure@...lists.org>
Subject: Re: [FD] Java 8u40 released: why?

James Hodgkinson wrote:

> Maybe the major change is that they're including the Ask toolbar in
> all releases now, not just the windows one? :)

Indeed!

> The unwelcome Ask extension shows up as part of the installer if a Mac
> user downloads Java 8 Update 40 for the Mac. In my tests on a Mac
> running that latest release of OS X, the installer added an app to the
> current browser, Chrome version 41...

So you did not notice the explanation that this would happen, right 
there on the "continue the install" permission dialog?

The one we can see a screenshot of at, say:

   https://grahamcluley.com/2015/03/oracle-java-mac/

Your description rather strongly implies that you have no choice in 
getting the Ask toolbar, which is untrue.

I understand that Mac users will likely not be _accustomed_ to such 
permissions for _additional_ software, over and above the actual 
software that they thought they were installing, being requested, BUT 
unlike your description above and Ed Bott's at ZDNet (referenced in 
another post in this thread), the user is actually given the choice to 
not install the extra offer.

Of course, questions as to the desirability of the option being 
pre-selected, and the possibly less than fully transparent directions 
about the necessity of the offer are much the same with the Mac version 
and the Windows version, whose permission dialog you can see here:

   http://i.imgur.com/82Tp2pp.png?1




Regards,

Nick FitzGerald



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ