Skip to navigation
   
Simon Bisson & Mary Branscombe 's Blog
RSS

Java’s SSVAGENT.EXE: training the monkey

By Simon Bisson & Mary Branscombe in Editorial

Posted in Web browser, Security, Internet on August 8, 2008 at 5:49 pm

Permalink | Author Profile

If you run Vista and you’ve allowed Java to update itself recently, you’ll be getting an infuriating dialog box every time you open a new browser window, including a new tab or a popup window, saying that unsigned code wants to run and that it can’t run in protected mode (the low-rights mode that Internet Explorer uses). The SSVAGENT.EXE referred to is Java’s update agent, which runs every time the browser runs - and Sun apparently can’t tell the difference between a new Internet Explorer process and a new tab running in the existing process.

If you actually use any Java applets, you may also get an error telling you there are several Java Virtual Machines running. 

It’s bad enough that Sun has, for at least the second time, put out software without a digital signature proving where it comes from, the most basic security check on code for the end user. It’s equally annoying that the suggestion from Sun is that you just click ‘Allow’ every time until the bug gets fixed in Java 6 Update 10 (’officially released later this summer’) and that Internet Explorer doesn’t let me say ‘Don’t ever allow this to run’.

But how about an update agent that runs every time you run your browser? That’s not very respectful of my resources, or my bandwidth. Other applications have periodic checks for updates and they only run when I’m not buys doing other things (Vista has an API for this, so even if you have umpteen different notification systems running, they can all find out when you’ve stopped to think or turned away to pick up the phone and do their updates, checks and maintenance without slowing you down). Why does Java need to check for updates so obsessively?

The Java control panel doesn’t think it needs to check that often; the default setting appears to be check monthly. So why does it hook into Internet Explorer to run the update agent all the time? Personally, I’m turning off the updater altogether, although that’s not a decision you’ll want all your users to take.

I can’t tell you exactly where the Java control panel hides itself; I couldn’t find anything in the All Programs list so I typed ‘Java’ into the search bar on the Vista Start menu and it offered me the Java control panel without having to dig for it. On the Update tab clear the check box for ‘Check for updates automatically’ and stick to your decision when Java asks if you won’t reconsider and click ‘Check Monthly’ instead because that’s the setting you started with. You may have to quit and restart Internet Explorer to prise Java’s hook out of the code and then you can go back to having browser windows open without a security warning that you train yourself to ignore.

That’s the problem with dialog boxes where it’s OK to just click yes, and one of the interface issues with Vista’s User Account Control. Any time there’s a dialog that’s in your way, the temptation is to click Yes just to get rid of it. Ask users if they want to do this unsafe thing, if they really want to, if they really really really want to and they’ll click Yes with less and less hesitation. Years of popups and confirmation dialogs have trained the user like a monkey in an experiment; click here and get what you want.

But you have to have confirmation for some things (Format C:? Record Battlefield Earth? Delete your wedding photos? Install an application just because you clicked on a URL?).

The real problem is that the PC has no idea of context or common sense; I navigated to the home page for the Kevtris game by typing in the URL, so when I click the download link and then click Run I really do want to install the game, but if I clicked an ad link in my email and it goes straight to installing a Trojan I really don’t want to. The PC has to leave intelligent decisions up to the user, and that means dialog boxes and confirmations when there’s anything that could be suspicious. Not remembering to sign the code for your application? That’s either suspicious, downright penny-pinching ($25 for a certificate) or shows you don’t have a good sign-off process for your developers. Either way, yes, I do want my browser to warn me about you.
-Mary

12345
Rated: 100% (1 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Nanda - August 29, 2008 on 3:26 am

It is annoying. Thanks for explaining why. IE does not have “Allow all the time option” but there is a check box which says “Dont give this warning again for this program” Checking that seemed to solve the dialog box atleast.
However, I hope they stop running this program everytime a tab opens…
thanks,
nanda

Comment by Simon Bisson & Mary Branscombe - August 29, 2008 on 3:58 am

Glad you found it helpful. The check box usually only works if you select Allow, which means you are running the Java update agent with every browser window, which you may find affects performance.
M

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

Silverlight dual display gaming Credentica ADFS 2.0 EEE conference 64-bit enterprise architecture upgrade Google 3G cloud service google online applications video regulation AuthenTec support Palm virtual desktop RSA 2008 machine learning enterprise server Moonlight user experience Numenta beta data advertising christmas HP .NET robot TSA i-mate Lenovo OpenID Vista Xen OQO Crossfader Xobni Corsair mobile CTO Nokia onboarding CUDA etech EMC Linux iPhone virtualisation eu mobile ofcom network geocaching Asus Express Gate software open ucsd spam fighting identity metasystem Mono fire Bill Gates network social networking WPF Gartner accelerator Internet Explorer exabytes accessories HD Google Spreadsheets html optical interconnects payroll NGSCB green printing Tablet PC service oriented enterprise GPS traffic Facebook graphics conferences politics mscape Previous Versions Mozilla acquisitions numbers Internet Trend Micro bandwidth toshiba IBM O2 UMPC exchange mythbusters privacy Location Web 2.0 amherst interoperability TouchSmart disk space Google Sets cisco licensing HMT benchmark hardware ruggedized yahoo automation Loki Tripit Motorola high performance computing Greasemoneky bbc iplayer active digitiser isp Dopplr terabytes CES MacWorld 2008 security paradox security provisioning DSL whitelist Gears RIA Toshiba Portege R500 processor HTC CPU Jeff Jones Girl Geek Dinners sun business wildfire HR automation SMB 2 fingerprint scanner Microsoft biometrics Intel pen computing Windows Server 2008 Wyse mysql Google IO Internet Explorer 8 NAS processors firewall Trampoline utilities storage Future in Review isps Reqall Beacon bea mash-up visualisation AskEraser spam MacBook Air Dell GPU RAZR open source RBL World Wide Telescope CardSpace green IT productivity wireless USB MIX08 security theatre performance OFCOM SP1 MING Verbatim images HTML 5 streaming media National Insurance digital signature todo list Windows Mobile mobile Linux BBC O'Reilly AMD timezones thin client mobile working smartphone ballmerbot QWERTY hold music regulations migration MRDA quiz information user interface TNT wifi Trolltech Hp 2710p patch Tuesday merger phone management co-processor legislation fingerprint business intelligence Fire Eagle vulnerabilities VSSAdmin 4x HD Firefox browser hierarchical temporal memory Jeff Hawkins geotagging SSD Hugh Thompson Tablet Kiosk cracking Adobe Volume Shadow Copy desktop. PC DisplayLink Ask.com fraud Seagate TechEd 2008 lawsuit email HSDPA hacking anti-virus Frauenhofer disk Barracuda BT community mobile data tariffs flash nvision08 Apple Palladium forensics CalIT2 patent office Bill Cheswick Visual Studio identity theft deperimeterization IDF oracle SSVAGENT.EXE hp microsoft research Netscan Enterprise 2.0 management mobility fibre Secunia NVIDIA SBS
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement