I have to say that in recent years I've installed Java more due to habit than because of an actual need for the software. So when I got the update bubble in the corner of my screen, I figured "of course". I knew they, among other things, fixed the same-origin-policy bypass used in the BEAST attack (You'll find a straight forward explanation of the Java vulnerability here, and links to resources on BEAST here). So I started the update process, and this was one of the first screens I was presented.
Oracle is clearly working to improve the image of Java:
Java provides safe and secure access to the world of amazing Java content.Does it now? And they go on to claim:
Java makes your internet experience come to life.We'll see about that. Why? Because clicking "Install" took me to the next screen:
This is an unwelcome blast from the past. Not only is this free add-on stuff an extra step that clutters the update process — the direct opposite of what e.g. the browser vendors are working towards these days. This step also changes your default search provider and installs new and unrelated software that probably needs to be updated too. Ten years ago I was used to click through two or three screens with "do you want this free and amazing add-on?" during a software installation. Now it feels more like malware.
Being asked to install the Ask browser add-on depleted my patience. I cancelled the update, went to the control panel and removed the Java installation. It'll be interesting to see how it goes the next couple of week since I now risk that my internet experience won't "come to life".
Even though I don't have Java installed anymore, many people have and many people actually need it installed. To keep these users safe I would urge Oracle to:
- Keep fixing security vulnerabilities in Java
- Work towards a smoother update process, like the rest of the big players do
- Stop polluting browsers with "free add-ons" in the process
It should be hassle free for users to keep your software safe and secure.