Oracle released Java 8 update 40 last week. The security baseline remained at 8u31, meaning there were no security fixes in this out-of-band update. While the release notes for this version indicate a few bug fixes, the most noticeable change comes for OS X users who now receive the Ask toolbar bundled with the Java installer.
Oracle’s greed is present in the updated Java install instructions, with this notice:
Oracle has partnered with companies that offer various products. The installer may present you with the option to install these programs when you install Java. After ensuring the desired programs are selected, click the Next button to continue the installation.
Proceeding through the Java install like normal, the second screen prompts to install the Search App by Ask. This wants to install a toolbar in Safari for Ask’s mediocre search engine as well as links to Facebook, Google Maps, Amazon, eBay, the weather, and other third-party sites. You can uncheck the box ‘Set Ask.com as my browser homepage’, which is checked by default and will be installed if you just click ‘Next’ through the update or install.
The summary of the installation will confirm if you installed just Java or the Ask extension(s) as well.
Your default browser will launch after completing the install to take you to the verify Java version plugin page. If your default browser is Safari or the next time you launch Safari, you will see a prompt “Are you sure you want to install the extension “Search App by Ask build 51553634″?” Here you can choose ‘Install’ or ‘Don’t Install’. Thankfully Safari has your back and gives you another chance to escape the bloatware.
If you chose ‘Install’ but wish to reverse your decision, you can go to the Safari menu and choose ‘Preferences…’. Switch to the Extensions tab and find the Search App by Ask extension. You can choose to uncheck the box so that the extension is no longer enabled or you can use the ‘Uninstall’ button to remove the extension.
A setting that Java on Windows has had for a while allows you to avoid these sorts of bundled junkware in the future. By going to System Preferences after installing Java 8u40 and newer version, you can launch the Java Control Panel. Under the Advanced tab and at the very bottom, there is a new option. ‘Suppress sponsor offers when installing or updating Java’. Unfortunately, you have to install Java 8u40 (and you can opt out of installing Ask) before you have this option to prevent future bloatware.