lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 8 Mar 2015 09:29:50 +1000
From: James Hodgkinson <yaleman@...etek.net>
To: Nick FitzGerald <nick@...us-l.demon.co.uk>, 
 fulldisclosure@...lists.org
Subject: Re: [FD] Java 8u40 released: why?

Nick,

Nowhere in the quoted text or my comments did it say it was a forced option, only that it “appeared” in the update; this thread started with questions as to whether there was any actual changes with the version bump, and I was offering a possibility.

James





On 8 March 2015 at 9:07:41 am, Nick FitzGerald (nick@...us-l.demon.co.uk) wrote:

James Hodgkinson wrote:  

> Maybe the major change is that they're including the Ask toolbar in  
> all releases now, not just the windows one? :)  

Indeed!  

> The unwelcome Ask extension shows up as part of the installer if a Mac  
> user downloads Java 8 Update 40 for the Mac. In my tests on a Mac  
> running that latest release of OS X, the installer added an app to the  
> current browser, Chrome version 41...  

So you did not notice the explanation that this would happen, right  
there on the "continue the install" permission dialog?  

The one we can see a screenshot of at, say:  

https://grahamcluley.com/2015/03/oracle-java-mac/  

Your description rather strongly implies that you have no choice in  
getting the Ask toolbar, which is untrue.  

I understand that Mac users will likely not be _accustomed_ to such  
permissions for _additional_ software, over and above the actual  
software that they thought they were installing, being requested, BUT  
unlike your description above and Ed Bott's at ZDNet (referenced in  
another post in this thread), the user is actually given the choice to  
not install the extra offer.  

Of course, questions as to the desirability of the option being  
pre-selected, and the possibly less than fully transparent directions  
about the necessity of the offer are much the same with the Mac version  
and the Windows version, whose permission dialog you can see here:  

http://i.imgur.com/82Tp2pp.png?1  




Regards,  

Nick FitzGerald  



_______________________________________________  
Sent through the Full Disclosure mailing list  
https://nmap.org/mailman/listinfo/fulldisclosure  
Web Archives & RSS: http://seclists.org/fulldisclosure/  

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists