Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Java update asked for password?

sirkkalap said:
It is unfortunate that some vendors push bad security practices.

The JDK 7 update 55 is showing "This update is locked with a password." popup.

It is obvious that you would not give your password to any stranger asking it on the street, and this prompt is no different from a stranger. You have no way of telling where that password will be used.

It is a good practice to use system services for transparent and trusted way to ask for additional privileges. This update clearly violates this principle.

Below is a screenshot displaying the popup along with plausible ps axu listing showing that it might indeed be Oracle's update prompting for some password.

Shame on Oracle for making phishing user credentials one step easier.

https://www.dropbox.com/s/znoavsap0dv9ruw/Screenshot%202014-04-22%2019.15.53.png
Click to expand...

Agreed, this just happened as I was updating it. What is even more disturbing is its now nearly May and people have been coming across this issue since last year.

Appalling behaviour by a supposedly competent developer.
 
Also just had this issue updating from 51 to 55. I didn't enter a password and the updater just had an endless progress bar. Killed it and manually updated from the Java control panel, which worked fine. I imagine it's a bug somewhere. A bit silly though, and triggers warning bells in most people's minds when they see something unusual asking for a password rather unexpectedly.

I assumed it was encrypted compression by the dialogue box but who knows.
 
I've just gone through the same process with Update 55. But when I tried to update via the Java control panel, I got the same weird dialog box asking for a password. So I forced it to quit again.
 
Java 7 Update 55 asks for password

I had the same behavior trying to update from 51 to 55, the odd-looking password prompt resulting in nothing. Updating Java via the Java control panel worked smoothly without any popup.
 
I rarely update flash and java when I get the popup notifications....... is it safe to update via the system preferences?
 
Happened this morning

Go the update notice and then the password window others have shown. Looked sketchy as hell and so I canceled but then it never shut down. I restarted my computer. For something that has such a reputation for having security concerns, it seems pretty crazy that they'd allow something like this to not only happen but continue for at least 5 months.
 
Still does!

Same here:

java_update_password.jpg


Reported an issue at Sun Bug Report
 
ArtOfWarfare said:
Java popped up and said a new version was available... I don't know what the major number was, but the minor number was 51, as I recall.

I gave it the okay. A few seconds later it popped up a message, "This update is locked by a password" with a text field labeled "Password". This wasn't the typical OS X password window. It didn't even specify which password it wanted (user, admin, root... or perhaps some password to a file or something?) I left the field blank and just hit "Unlock".

Since hitting that unlock button about 10 minutes ago, it's been saying it's "Extracting update..." with an indeterminate progress bar below it. I feel like it should have failed by now if it was a legitimate update. I googled around for anyone else mentioning the window... all that came up was a discussion six years old about how an old version of Sparkle (an application framework for making it easy for developers to have their apps autoupdate) would ask for your password if it failed to mount a DMG or something like that.

I'm wondering... is this some kind of trojan? I have no idea how I would have gotten it, given I have Click to Plugin installed in Safari, which is up to date and the only browser I use on this computer. I suppose I just downloaded Paint Code yesterday... I can't think of anything else I've really done with this computer recently.

(It's still behaving exactly the same... it's now been at it for 15 minutes.)
Click to expand...

if in doubt, just go the official java site of Oracles and download the latest version manually. if you don't want to be bothered with the updated, install the JDK version. the developer version doesn't update automatically (as in every damn day!)
 
BDM STUDIOS NL said:
Same here:

Image

Reported an issue at Sun Bug Report
Click to expand...

Good idea. It'll be great if we could get a response. Although I thought Sun was no more... Isn't Oracle the company that maintains Java now?

As an aside, I'm surprised this thread has been so active over the past few months. I haven't looked since late January (when I last posted). The only reason I looked at it now was because I'd been quoted, albeit rather pointlessly...
 
Fix with no explanation

Hey, maybe I come a little late in this discussion but I had the same problem today.

I tried twice through java update and it always asked for password. So I downloaded the latest version through Java's website and it worked like a charm.
I'm not sure which version I had before, maybe Java 7 update 51, but now I have Java 7 update 60.

Hope you found a solution !
 
runimoni said:
Hey, maybe I come a little late in this discussion but I had the same problem today.

I tried twice through java update and it always asked for password. So I downloaded the latest version through Java's website and it worked like a charm.
I'm not sure which version I had before, maybe Java 7 update 51, but now I have Java 7 update 60.

Hope you found a solution !
Click to expand...

Downloading Java 7 did indeed do the trick, resolved!
 
It's a bug in Sparkle (the auto-update framework). Oracle should update to Sparkle 1.6.1 which fixes this by removing the buggy locked-image functionality:

https://github.com/sparkle-project/Sparkle/commit/805447d74862297a5e80a19435d1a29d9f0db863

----------
sirkkalap said:
It is unfortunate that some vendors push bad security practices.

...

Shame on Oracle for making phishing user credentials one step easier.
Click to expand...

As mentioned above. It's not Oracle's fault, so stop the conspiracy theories.
 
dza said:
I wrote Oracle/Java.

http://bugreport.sun.com/bugreport/main.jsp

^ Bottom: "Report an issue".

I wish/hope this is something that just looks suspicious but isn't - although my inituition tells me otherwise - and I promised to listen to my inituition more (after not listening had amazing backfiring consequences for me)!

I'm currently scanning my system with ClamXav - afterwards I will try Bitdefender.

If someone has more suggestions please step up.
Click to expand...

If you don't want to have an issue with Java, simply uninstall Java. It is known for security loopholes.
 
I was concerned when this popped up, but then again I was glad to see that foxfire allowed to me to see this. Since prior I have always been using the chrome browser.

Screen Shot 2015-10-27 at 11.00.08 AM.png


I didn't see anyone make mention that it was not safe or that it was a portal to badness. So I have added my password and its working good on my iMac. The password that I used was the computers password although I run it unlocked.

Screen Shot 2015-10-27 at 11.01.13 AM.png
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back