Windows users who install the latest Java security patches may end up with a little more security than they bargained for, at least that’s the risk they take if they don’t pay close attention to the installation process.
Starting last month, Oracle began bundling a security scanning tool called the McAfee Security Scan Plus with its Java updates for the Windows operating system. The software is installed by default with the Java update, so unless users notice and uncheck the McAfee installation box as they’re updating Java, they’ll end up downloading McAfee’s software too.
Security Scan Plus checks the PC to see if has antivirus and firewall software and if they’re both up-to-date. The program comes with pop-up windows and is a bit more noticeable than the previous software that was bundled with Java in the U.S., such as the Yahoo Toolbar. Oracle bundles different products with Java in different regions, so not all Windows users may get Security Scan Plus with their Java updates.
Once downloaded, the McAfee software prompts the user on a daily basis to accept McAfee’s licensing terms to complete the installation. The user can cancel out of this prompt, but there is no option to decline the terms. To remove the software, the user must use the Windows “Uninstall a Program” feature.
A number of users have inadvertently installed the software since Oracle started the bundling deal with Intel’s McAfee subsidiary last month.
Oracle has even posted a frequently asked question (FAQ) page to its Java.com Web site to explain the software, entitled, “What is Security Scan Plus.”
Some users are unhappy, including one who posted to an Intel message board after noticing a slowdown on a family member’s PC a few weeks ago, apparently after a Java update. “[M]y stepdaughter asked me today why her computer was running so slow, and, of course, it had McAfee AV on it,” he wrote. ” Seriously, this thing [sucks] the very life blood out of your system.”
Security Scan Plus is a 1MB download. But it uses 4MB of memory when running, a company spokeswoman said via e-mail. There are other ways to end up with it on your system. Some users have complained of downloading it as part of an Adobe reader update, and it can be picked up when downloading via Adobe’s Download Center, an Adobe spokeswoman said.
McAfee defended its decision to leave the Security Scan install box checked by default. “McAfee believes it’s better to be protected than unprotected, therefore we are offering this as a default,” a McAfee spokeswoman said via e-mail. “A surprising number of people have computers with out-of-date security or no security at all.”
The group that polices software vendors — StopBadware.org — says that while McAfee and Oracle could do a better job of notifying users about the installation, the scanner is definitely not badware.
“It sounds like it’s annoying; it doesn’t sound evil,” said StopBadware’s executive director, Maxim Weinstein. “Even though something like this may not be hidden in a nefarious way, it would be nice from a user standpoint to give them something a little clearer.”