Closed Bug 1007271 Opened 11 years ago Closed 8 years ago

Blocklist ask.com toolbar (default installation via Java upgrade)

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: wenzel, Unassigned)

References

(
URL
)

Details

Attachments

(2 files)

ask_toolbar2.jpg
51.51 KB, image/jpeg
Details
asktoolbar.png
50.87 KB, image/png
Details
Attached image ask_toolbar2.jpg
I just updated Java in my VM and came across an enabled-by-default installation of the ask.com toolbar that would be sideloaded into Firefox (and Chrome, fwiw). Given that: - it has nothing to do with Java - it is enabled by default (encouraging people to just click ok ok ok as they tend to in update screens) I suggest this add-on as a hot candidate for blocklisting. Screenshot attached.
Dupe of bug 720170, no?
The policies have changed since then. This is what we require now: https://developer.mozilla.org/en-US/Add-ons/Add-on_guidelines, and being silently installed is definitely sufficient reason for blocklisting. Fred, can you confirm that you weren't prompted in Firefox to enable the extension?
Of course, I clicked "no, what the heck" and now I have a hard time getting back to that stage (I figure I might need to clone a VM with an old version of Java and trigger the automatic update on it to get that again). I'll try, but if someone has the opportunity to trigger an update on their Java instance and get to this point, please do so as well so we can confirm.
I asked dmajor to install in a VM and document the exact experience as well as what "always keep Ask as my search provider" actually does and how it works.
Flags: needinfo?(dmajor)
Attached image asktoolbar.png
This was a little tricky to reproduce because the toolbar bundle is region-specific, and it has a sneaky install timer. Environment: Windows 8.1, FF 29.0.1, connected from the United States 1. Run jre-7u55-windows-i586-iftw.exe (the "Windows x86 Online" version) from: http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html 2. Click "Install" (don't select a custom folder) 3. After the stub downloads the package, it will offer the Ask toolbar, checked by default. (It will not be offered if outside the US) 4. Accept the defaults. At the end it will say: "You have successfully installed Java. The Ask Toolbar will install shortly." 5. Look in Control Panel, Programs and Features. The Ask Toolbar is not listed. 6. Wait a few minutes. 7. Refresh the list of Programs and Features. The Ask Toolbar has been installed. 8. Restart Firefox. Select "Allow this installation" for the Ask add-on. Restart Firefox again. 9. The homepage is now Ask. In Firefox options, change the homepage to http://www.mozilla.org 10. A flyout window appears (attachment 8423626 [details]). The "click here" link leads to the "More Info" dialog. I left "Home Page" checked and clicked OK. 11. Restart Firefox. The homepage is still Ask. 12. Attempt to change the homepage again. This time, no notification. The homepage is still Ask. 13. Open the toolbar's Options panel and uncheck "Prevent third-party software from changing my Ask Home page" 14. Attempt to change the homepage again. It is successfully changed. Notes: * I chose JRE 7u55 because Oracle admits that this version has sponsor offers: http://www.oracle.com/technetwork/java/javase/7u55-relnotes-2177812.html * The delayed install behavior is noted here: http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/ For me the delay was 4-5 minutes rather than 10. Unlike the article, I didn't see any UI encouraging me to click "Allow this installation." * Un-checking the Ask checkbox prevents the installation (no silent install against your will). Installing Ask without the "Set and keep" options leaves the homepage untouched. Uninstalling the toolbar restores your pre-installation homepage. There are certainly some questionable practices with this toolbar, but I don't know if they count as policy violations. Jorge et al should weigh in on that. Still looking into the technical aspects of the homepage resets...
Flags: needinfo?(dmajor)
(In reply to David Major [:dmajor] (UTC+12) from comment #7) > 8. Restart Firefox. Select "Allow this installation" for the Ask add-on. > Restart Firefox again. Okay, so this is at least not a silent install. > 9. The homepage is now Ask. In Firefox options, change the homepage to > http://www.mozilla.org > 10. A flyout window appears (attachment 8423626 [details]). The "click here" > link leads to the "More Info" dialog. I left "Home Page" checked and clicked > OK. > 11. Restart Firefox. The homepage is still Ask. > 12. Attempt to change the homepage again. This time, no notification. The > homepage is still Ask. This is not acceptable. I'll contact Ask and tell them to remove this. It would also be useful if you can try uninstalling, and see what that does to the homepage or search options. They should be reset, per our guidelines.
> It would also be useful if you can try uninstalling, and see what that does > to the homepage or search options. They should be reset, per our guidelines. Yes, uninstalling restores the previous homepage and search engine, and shows a dialog telling you so.
According to ask, changing the homepage from the settings window shouldn't trigger the Settings Protection. Can you confirm that you didn't change the homepage from about:config, or some other place?
Flags: needinfo?(dmajor)
(In reply to Jorge Villalobos [:jorgev] from comment #10) > According to ask, changing the homepage from the settings window shouldn't > trigger the Settings Protection. Can you confirm that you didn't change the > homepage from about:config, or some other place? Yes, I used the regular settings window. However, this behavior seems to be intermittent. I tried 10 more times, restoring my VM to the just-installed state in between each attempt. 5/10 times, my homepage was allowed, and the option for "Prevent third-party software from changing my Ask Home page" became unchecked. The other 5/10 times, I got the flyout window, the Ask homepage was preserved, and the "Prevent" option remained checked.
Flags: needinfo?(dmajor)
In terms of the technical implementation: The toolbar installs a background utility called "Ask Toolbar Notifier" (TBNotifier.exe) that monitors and reverts changes to prefs.js. This can happen even when Firefox is not running.
We've been talking to Ask about this and hope to reach a conclusion soon. In the meantime, we're blocking some specific versions of the toolbar that are causing issues when opening new tabs (bug 1024719).
(In reply to Jorge Villalobos [:jorgev] from comment #13) > We've been talking to Ask about this and hope to reach a conclusion soon. Any progress?
Flags: needinfo?(jorge)
Last I heard from Ask, a couple of weeks ago, is that they were rolling out the fix through their various partners. So by now most installers shouldn't have the Settings Protector software anymore.
Flags: needinfo?(jorge)
Product: addons.mozilla.org → Toolkit
Closing old blocklist requests that shouldn't be valid after the move to WebExtensions-only in Firefox 57. Please comment if you think this bug is still valid and should be reopened.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: