OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Java now installing adware

Published March 4th, 2015 at 11:34 AM EDT , modified March 4th, 2015 at 11:34 AM EDT

Rich Trouton, a Mac systems administrator who runs the Der Flounder blog, discovered yesterday that a Java installer is installing adware, in the form of the Ask Toolbar. (He first wrote about it on JAMF Nation, but has published additional information in his Der Flounder post today.) Fortunately, in the course of trying to duplicate his findings, it appears that this installer is a bit finicky, and may not always install the toolbar properly.Java 8 Update 40 installerI had a slight bit of trouble finding the troublesome installer at first. My search initially took me to Oracle’s site, where I downloaded Java 8 Update 40 and found that it was just a simple installer package, with no nasty hitchhikers. My second stop – to Java.com – hit paydirt, though, with the Mac installer downloaded from that site being the application described by Trouton.

On running that installer, I initially saw exactly what Trouton described. At one point in the install process, I was asked whether I wanted to install the Search App by Ask. install ask toolbarThe box was checked by default, and I left it that way.

However, from there, my experience differed a bit. I never saw the alert Trouton described asking if I was sure I wanted to install the toolbar, and no toolbar was visible in any browser. A bit of searching the file system turned up an Ask Safari extension was present, but for some reason hadn’t been installed properly.

After much experimentation and frustration, I found that the installer is a bit fragile. It turns out, something goes wrong with the process if Safari isn’t open during installation. By leaving Safari open, I found that the extension was installed, and saw the toolbar appear in Safari. However, I never did see that install confirmation alert, even then. Clearly there’s still something different between my installation and Trouton’s, but I haven’t figured out what that might be yet.

Unlike other adware installers that I have seen, this also seems to only install the toolbar into the default browser. So, I repeated the process for both Chrome and Firefox, and found that it was installed in each of those as described, but only for the one that was the default browser. (Interestingly, my test system had a rather outdated version of Firefox – version 28.0 – which caused the install to fail again. I had to update to 36.0 to get the toolbar to install.)

Despite the fragility of the adware install process, this is still going to be a problem for many people installing Java. Oracle should be ashamed of themselves! Since Java has repeatedly posed security problems in the past, and Oracle has now shown a willingness to infect their own users with adware, I strongly recommend avoiding Java if at all possible. For those who must have Java, Trouton has posted information in his Der Flounder article on how to run the Java installer only, found inside the adware-riddled Java 8 Update 40 application, which should install Java without the toolbar.

For those affected by this Ask Toolbar, I have added detection of the Ask browser extensions and support files to my AdwareMedic app and my Adware Removal Guide. And thanks to Rich Trouton for bringing attention to this issue!

Tags: , ,

60 Comments

  • Patrick says:

    Well, I have never tried installing Java on a Mac but I know on the PC side of things, Java has always had a box to come up with the ask toolbar checked and you have to uncheck it, if you don’t want it to install the ask toolbar. Just like adobe’s flash wants to install google chrome. I always try to look for these extra setting and turn them off when I can. I don’t like that these companies do this but I don’t know how to avoid it either.

    • Thomas says:

      Yeah, I don’t keep up much with what’s going on in the Windows world. I prefer to forget that Windows exists whenever I can. Every time I have to make a foray into Windows, it’s not fun. It’s almost like Microsoft is trying to chase away its customer base!

      In any case, though, you’re right… many people have pointed out to me in the last couple hours that Java for Windows has suffered the same fate for some time. Ed Bott published an article on this back in 2013 with eerily-familiar screenshots. I guess Ask finally caught up with the other adware makers and gave them a Mac toolbar to install. 🙁

      • Steve says:

        Just came here to say that for the first time in years Java 8 Update 40 the 64-bit windows installer came WITHOUT ask toolbar. I was so schocked and bewilderd i had to see if found this too and I’m not too hungover from last night, but as crazy as it sounds oracle has listened to my prayers.

  • Blaine says:

    I noticed that. I downloaded the update from my once trusted macupdate.com. The installer icon and subsequent install screens looked wrong, then I got to the Ask Toolbar screen and aborted the whole thing. I went directly to Oracle downloaded the installer, icon and install process looked normal.

  • Blaine says:

    Yes the bad installer was not consistent in what it showed or the steps it took. Looked a lot like the bad MPlayer installer I have seen customer’s installing and ending up with adware.

  • Ofelia says:

    Assuming you’ve tagged every post related to Java with “Java,” you’ve said nothing about it since September of 2013. Talk about a throwback!

    • Thomas says:

      Yup, it was quite a problem back at that time. There hasn’t been much news in the Mac world about Java since that time, but I still haven’t trusted it since then.

      • Ofelia says:

        Oh, yeah, nobody has. I was just shocked as to exactly how far back I had to go on memory lane to when I last heard about it! 😀 😀

  • Mike says:

    Thank you for your site! I’m a “Windows” guy and my wife just called me at work stating her Mac is getting tons of Ad pop-ups in Safari. After interrogation she said she installed Java yesterday, required by one of her clients to upload files on their website. Luckily I ran across your site describing the issue and she’s now running Adware Medic in hopes to clean her system.

    Like you said, Oracle should be ashamed of themselves distributing Adware.

    • Kendall says:

      Go to Safari->Preferences->Extensions, where she should be able to remove/disable it. I doubt the Adware Medic will find it.

      • Thomas says:

        Ummm… did you not read the article? Specifically, the part at the end where I said I had added detection of this adware to AdwareMedic?

  • Caribou says:

    Yep, Windows addware ported to the Mac side … no thank you Oracle !

  • techtangents says:

    Oracle have previously told us that the adware installer is *delayed* – it runs some time after the java installer. This would explain the behaviour you’re seeing

    • Thomas says:

      I don’t think that explains it. In some cases, I kept the test system running for some time, poking around in the system looking at what got installed. At no point did the adware installer run. However, in every case where I managed to get the adware installed, by meeting the conditions necessary to get it to install, it happened right away following the Java install.

  • Ian MacGregor says:

    Thank you, Thomas! Linking this article on my Facebook and retweeting.

  • Jay says:

    So is there any actual adware or just a toolbar? Does it inject ads on places there usually aren’t any?

    • Thomas says:

      I have not documented any ad injection at this time, but that doesn’t necessarily mean it doesn’t exist. Sometimes adware only starts showing the ads after it’s been installed for a while. Of course, there also might be nothing to it other than the toolbar.

  • Mike Boreham says:

    I installed the adware version, but unchecked the Ask.com option. The Ask toolbar was not installed and there was no Ask extension in Safari -> Extensions, BUT AdwareMedic found the Ask Toolbar in ~/Library/Application Support/Sponsors.framework. This location does not seem to have been mentioned anywhere.

  • eric says:

    haven’t used java in years.no need for this insecure pile of garbage.

  • Paul van Hooff says:

    If you’re the one that developed and shared Adaware Medic I thank you very, very much. I finally kicked that horrible MacKeeper of my Mac, which is for more faster. So great job. So why no donation? At the moment my cashflow is very low. When not I will not forget you.

  • Chas4 says:

    It installs the sponsor framework even if you select no to the Ask

    • Thomas says:

      Yup. That appears to be dormant, though, if you opt out of the adware. Still, if you must have Java, I’d recommend not using this installer at all, and follow the recommendation on Rich Trouton’s blog for installing Java only.

  • Kr00 says:

    If you do have Java installed, open the Java control Panel via System Preference (Java control Panel opens in a separate window). Select the “Advanced” menu, and at the very bottom under miscellaneous, check the box “Suppress sponsor offers when installing or updating Java”. This may or may not hinder unwanted extras being installed.

    Thomas, this is a great and helpful blog. Your Adware has saved the day many a time. Thank you.

    • Al Varnell says:

      You seem to be pointing to the Java Development Kit version of Java which is primarily for Java programmers and almost four times larger than the Java Runtime Environment version being discussed here. I found the JRE version downloaded from that site to be identical to the one from Java[dot]com.

      • @elias says:

        There is also current JRE on it. What do you mean “identical” has your download from oracle the ask Toolbar on it? For no Adware from that site. As Java Dev I download for long time direct from oracle with no issues.

        • Al Varnell says:

          Yes, the JRE from that site is identical to the one from Java[dot]com in size, date & hash value, and both previously attempted to install the Ask Toolbar when I first downloaded them.

  • patrick j mele says:

    Thanks for the heads up Thomas, Feel much safer with this knowledge, I’m going to run AdwareMedic now to check for that pesky toolbar. I will however check the advanced window of Oracle Control panel and uncheck “Sponsored offers”

  • F.C. says:

    I just tried to download the latest Java installer and Firefox alerted me that the certificate was untrustworthy.

  • AnonymousSecureMac says:

    Hi Thomas

    Oracle seems to have removed the Ask Toolbar installer.
    I actually tried to install more than 5 times with several downloaded JRE 8u40 versions on march 6/7/8/9.
    Even in combinations with different JDK versions, 6/7/8.
    Without any result, no Ask toolbar installer screen was shown during the installation process (same thing for when running JDK 7/8 installers. But we already knew that was not supposed to happen).

    I even completely took apart the installer packages of the Java Installer file and there is no proof whatsoever (anymore) to find a reference to the Ask Toolbar installer. Just look in the resources directory for example, no images showing the toolbar or icons, only some other images like the “Java3BillDevices_EN.png” for example.
    Only reading the actual payload file was to much of a hussle because it asks a very lot of cpu power to read the code (and I’m not a code reader anyway).

    All the downloaded JRE 8u40 versions that did find on different locations on the (off course) Oracle/Java.com website all have the same sha though.

    So my question to you is:

    – Could/would you be so kind to supply/post an sha1 or sha256 hash of the Java installer file that actually led to a successful installation-menu showing an Ask toolbar during the installation process?

    – On which day did you download the actual installer file using which download link?

    Please, consider looking at this (don’t mind not posting this anonymous message, more important is the result thats counting), wouldn’t it be nice news as well if Oracle actually did (silently) remove the installer again?
    If they did not, then it is still a nice idea to have that cleared out as well as which versions don’t actually offer the Ask toolbar installer.

    And oh, why did I try to install Java?
    Actually I’m more an expert in totally removing Java from old and new Mac’s (my advice is as well avoiding Java when you you can find applications that do not need it) but I was very very curious about what was actually inside the “Sponsors.framework” (bundle/package), may be you could tell us what is actually inside?
    Why again? I don’t like the idea of ignoring user preferences during an installation process, if you say “No I do not want to install this, then it should not be installed” Even if it is an empty file, No! is No!

    Hashes that I found on the jre-8u40-macosx-x64.dmg
    sha1 = 17f73400eacba3e8e69d039aa8a71b361377679d sha
    256 = e7bdcab20dd0cb38829eda148e2ac5241a805adea292813a19420a904af3166d

    Keep up the good work with TheSafeMac/AdwareMedic
    I’ll point all the time at it and people do appreciate your efforts (outside US as well!

    AnonymousSecureMac
    😉

    p.s. / last remark
    I did post some of the ‘same’ questions somewhere else on a larger forumpost, but did not get a satisfying response from Mac users leading to an answer yet.
    (That post has an extra plus on remarkable findings/insights/thoughts on Oracle, Security, Java & the Java Browserplugin matter – just use Google translate, not quite perfect but in a way good enough for the smart ones. Judge it yourself, maybe there’s even something inspiring to find on the Oracle Java Topic -> JRE=a very large fat browserplugin nowadays ?! WTH! Apple java 6 seemed to have a far better solution with just an removable 4KB alias!
    https://www.security.nl/posting/421177/Oracle+Java+Adware+verwijderd?

    😉

    • Al Varnell says:

      The Ask Toolbar is not contained within the Java 8 Update 40 installer, rather it is downloaded from javadl-esd-secure.oracle[dot]com over https, probably after you agree to install the Java Helper. My ire-8u40-macosx-x64.dmg has an identical sha1 to yours.

      • Krakatau says:

        Or AnonymousSecureMac has removed the https certificate for javadl-esd-secure.oracle[dot]com? Which may also prevent a successful download of the Ask Toolbar but also prevent the update checker to work (?)

  • Al Varnell says:

    Intego published their findings today @ http://www.intego.com/mac-security-blog/java-for-mac-and-the-mysterious-ask-toolbar/. In their analysis they found that the Ask toolbar was not adware, but simply a potentially unwanted application/product. If the Java installer finds that you already have the toolbar, then it will add the Ask Shopping Toolbar, which can potentially function as adware. They also note in that the Java FAQ on this subject http://www.java.com/en/download/faq/ask_toolbar.xml indicates they will be added to your other browsers on subsequent installations.

    But just as some other users have reported here, they found that toolbar installation has been suspended at the moment, possibly related to user reaction. Future installation could always resume Toolbar installation or even something else.

    • Thomas says:

      I can confirm that I can no longer get the Java download to install the Ask toolbar. It was a bit finicky, though, so I can’t be sure that it has been purposefully removed by Oracle or that this is just a glitch. (Considering my opinion of Oracle, I’d probably vote for the latter! 😉 )

  • Leo says:

    I wonder if those annoying Javascript popus on ios can do any harm? They typically block the safari browser on ipad until you are forced to press ok on the popup. I did this by accident a couple of times and it took me either to app store offering to download some stupid game app, or to a porn page. Can just clicking ok on such JavaScript popup window expose me to any malware? I did not install any apps or do anything on the scam webpage, but can it still hurt unjailbroken iod device?

  • Matt says:

    Looks like Oracle just removed the Ask toolbar from the package…

    • Al Varnell says:

      It was never really in the package, but downloaded during the installation phase. As I reported earlier, that seems to have been at least suspended for the moment.

  • isabel says:

    thank you T!! i spent hours trying to manually get this crap off my computer, in less than 5 minutes after downloading your amazing stuff i was malware frreeeeeeeee! you rock,

  • David Blaska says:

    Love your service. Will donate. The MacKreeper assault even attacks the Google search of your name with spam sites. Advise your clients to type in the exact web address rather than do a search. Again, thanks.

  • Paulo says:

    Thanks Thomas for your detailed (and verifiable) explanation. It helped me a lot for the way you described is what I have also experienced with the JI. Donating and follow your advise is worthy even a small token.

  • Stéphane Moureau says:

    Strange, I have report it to you on february 1, only on PC.

    Email title “Thanks and few items”

    Thanks

  • Angela says:

    I have just tried to install Java as I need it to run the GRE prep, however, it is still loading the ask toolbar as an adware. You can select not to have it as your browser, but it shows when looking for adware. What can I do just to install Java with the ask toolbar adware? Great software thank you.

  • Coen says:

    Thank you! I needed the legacy 6 Java to run a program, and since then I have been inundated with adware popups in Safari. Your Adware medic seems to have removed it.

  • Stuart Cassel says:

    I added Java to my computer maybe about 6 months ago. I downloaded the the dmg file added the Java and all seemed OK. Now at least once or twice a day I get a message telling me that the Java program needs to be updated. After selecting OK it goes away. I’m not sure what I’m doing wrong. Does anyone have any suggestions?

    • Al Varnell says:

      You haven’t really given me much to go on since there are three possible versions of Java available to you from two different sources (Oracle and Apple) and some differences depending on what version of OS X you are using. I’ll take a guess and say you got have one of the Oracle versions from java.com in which case there have been multiple updates in the last six months and that OS X has disabled the use of most of the older ones in your browser. In that case follow the instructions at “How do I update Java for my Mac?” https://www.java.com/en/download/help/mac_java_update.xml.

    • Thomas says:

      In addition to what Al has said, what you’re seeing could be a scam to convince you to install whatever the pop-up is trying to get you to download. Which would not be Java.

  • valeria says:

    Mil gracias por tu sitio gracias a eso resolví mi problema con adwaremedic DIOS te bendiga

  • Richard Johnson says:

    I needed to install JRE on a brand new 2013 iMac running 10.10.3 yesterday because my oldish Brother MFC-665CW printer asked for a Firmware Update and required JRE to install it. I installed the standard Java 8 Update 40 from the Mac .dmg download. I selected “No” to the Ask.com installation. Overnight, VirusBarrier x8 had identified 2 new pieces of malware:
    searchAskApp_ORJ-M.safariextenz
    toolbar_ORJ-M@apn.ask.com.xpi
    both buried in the ~/Library/ApplicationSupport/Sponsors.framework/Versions/A/ResourcesAPRNSetup.app/Contents/Resources/
    folder. They were present on my iMac internal hard drive as well as 2-3 copies of each on two external Time Machine drives. I read Thomas’ notes above, and Adware Medic, updated today, got rid of them on my internal drive. I went into the external drives and removed them with the supplied Time Machine software Action Menu “Delete All Backups of ‘(filename)’.
    Oddly enough, after finding the two files by VBx8, I searched all three drives for various versions of the files (Sponsors.framework, searchAskApp_ORJ-M, toolbar_ORJ-M@apn.ask.com.xpi) using FindAnyFile, including invisible files. It identified several copies on the TM drives on multiple dates, but 2-3 others were also present on the TM drives on different dates. Presumably, the Action Menu command should have deleted them all, but I’ve only used FindAnyFile recently, and I should ask them why it didn’t spot all the TM copies. It seems the Java 8 Update 40 .dmg Mac download is still installing this adware. Many thanks to Thomas for Adware Medic and his close eye on these problems.

  • Al Varnell says:

    My examinations indicate that the Java SE 8u45 released today contains no adware. You should be able to update by going to System Preferences->Java and using the Java Control Panel’s Update tab to install Java and nothing else or go to http://www.java.com (or oracle.com if you must) and download a normal adware-free update package from there.

  • Katelyn says:

    After I updated my Java on April 23rd MacVX adware became installed on my MacbookPro! 🙁 I thankfully used adware medic to remove this malware and the ads have ceased to appear however I am now getting alert messages from Cox about a computer on the home network being detected with a virus. Does anyone have any thoughts on this and what it could mean? Thank you Thomas for providing this program for free! 🙂 My computer is stocked full of important data and I spent hours trying to uninstall the constant pop-up adware all the while dreading the thought of having to wipe it clean. I am eternally grateful and will be making a donation to support your work very soon! Thank you for saving my Mac and most importantly, my sanity! Truly.

    • Thomas says:

      The e-mail from Cox is most likely a false positive. There’s no known malware capable of infecting an up-to-date Mac system at this time, so it’s unlikely that you are infected with some kind of malware. It’s also possible that they detected something that the MacVX adware was doing.

    • Al Varnell says:

      When you call, ask to speak to a tech that is skilled in Macintosh computers, then ask for exact details of what they are seeing at there end to cause them to reach this conclusion. They cannot access your Mac to determine that it is infected, so they are reaching the conclusion based on something else. You need to find out exactly what that is.

  • mike orlin says:

    So I read on the Web page The Safe Mac (http://www.thesafemac.com) that Java is a problem and it is best to get rid of it. I followed the advice to unchecked “enable Java”
    (on my Safari version it’s “Allow java” but it’s probably the same thing).

    But is that enough? That’s for Safari, thus Web surfing. How about the Java folder in Mac Pro–>Library?
    It has 3 folders. Two are empty (“Extensions” and “JavaVirtualMachines”) but the “Home” folder has 5 folders and each has a lot of subfolders with 44 to 67 items each.
    There must be 200 items or more there.
    Should I leave it alone?

    ————-
    After reading this and other articles, I made a search on my computer (Finder–>Find) for “JavaAppletPlugin.plugin” and nothing appeared.
    Also Java is not present in System Preferences.

This post is more than 90 days old and has been locked. No further comments are allowed.