Security News + Software & Apps

It’s back! And it’s likely here to stay. A few weeks ago, Intego pointed out that Mac users were no longer being offered to install the Ask toolbar during the installation of Java for Mac. At that time, the Ask toolbar had mysteriously disappeared from Java installations.

We suspect that, due to media backlash, Oracle temporarily suspended the process that allows the JRE installer to install the Ask toolbar—depending on a country check. Intego was able to reproduce the Ask installation with the Java 8 Update 40 available on Java.com, at the following URL:

http://java.com/en/download/mac_download.jsp?locale=en

We have discovered that the JRE installer does a country check through http://rps-svcs.sun.com/services/countrylookup to determine if the Ask toolbar needs to be activated, using a server hosted by Akamai.

Intego researchers believe that the Ask toolbar is activated and promoted during Java installations depending on the user location. If a user is located in France, for example, he or she will not get the offer, while a U.S. customer will receive it.

The Ask toolbar is deployed through a framework, Sponsors.framework, and downloaded during the Java installation. This framework is installed in ~/Library/Application Support/ of the user’s Home folder.

In all cases, the Ask toolbar components are silently installed regardless of country location, even if the user was not prompted to activate the offer. We found that, for French Mac users, the Sponsors.framework gets installed in OS X after running the Java installer and without any Ask offer notifications. We would not be surprised if the offer is extended in the near future through an auto update.

Inside this framework, the APNSetup.app is responsible for setting the Ask toolbar in the relevant browsers. The APNSetup.app targets the user’s default browser (Ask.com options can differ depending on the user’s browser version).

Java and Ask Toolbar Installation Process

At the beginning of the installation process, the Java installer creates a temporary helper, com.oracle.JavaInstallHelper, in /Library/PrivilegedHelperTools/.

It appears to set Java specific components (such as /Library/Internet Plug-Ins/JavaAppletPlugin.plugin) and it sets privileges. This helper is deleted when installation is complete, and it does not appear to have any relation with the Ask toolbar setup.

There are difference scenarios in which Mac users may receive the Ask toolbar during Java installations. These are as follows:

Scenario 1: Safari as the default browser

If the user is detected to be located in the United States, the Java installer displays a panel to set the Search App by Ask.

Safari users can uncheck “Set Ask.com as my browser homepage.”

When the Java installation is complete, the Java installer redirects the user to the Java website. Safari instantly prompts to install an extension.

If the user does not uncheck anything and allows the extension, both the homepage is set to Ask.com and the Ask toolbar is installed.

The Ask toolbar displays a Hide button, which effectively hides it.

Scenario 2: Firefox as default browser

If the user is detected to be located in the United States, the Java installer displays a panel to set the Search App by Ask.

The user can uncheck “Set Ask.com as my default search provider” and “Set Ask.com as my browser home page and new tabs page.”

When the Java installation is complete, the Java installer redirects the user to the Java website. Firefox prompts to restart in order to finish the installation.

After restart, Firefox notifies to install new add-ons and the user can allow or disallow the installation. Firefox has to be restarted again.

If the user does not uncheck anything and allows the extension, both the homepage is set to Ask.com and the Ask toolbar is installed.

Scenario 3: Chrome as the default browser

If the user is detected to be located in the United States, the Java installer displays a panel to set the Search App by Ask.

Chrome users can uncheck “Add the Search App By Ask.”

When the Java installation is complete, the Java installer redirects the user to the Java website. Chrome prompts to restart in order to complete the installation.

If the user does not uncheck anything and allows the extension, both the homepage is set to Ask.com and the Ask toolbar is installed.

The Ask toolbar displays a Hide button, which effectively hides it.

How to Get Rid of the Ask Toolbar

It is important to note that, regardless of the user’s country location, the Java installation will download the Sponsors.framework and install it. We believe that the Ask toolbar may be activated in future auto-updates without having to run the Java installation. This means that if the Ask toolbar offer is disabled when installing the Java update, the framework still gets updates silently if already installed. (The user would not need to update Java to get the Ask toolbar; it is still there silently.)

Intego VirusBarrier protects Mac users against the Ask toolbar extensions for Safari and Firefox, detected as OSX/AskToolbar. Unfortunately, we are unable to block the toolbar for Chrome without destroying the Chrome database; therefore, Chrome users will need to uninstall the Ask toolbar manually. Google Chrome users can head over to the Chrome support page for help uninstalling extensions, which includes the Ask toolbar.