Skip to main content

Oracle Deceived Users About Security Updates, According To FTC Settlement

Oracle agreed to settle FTC charges that it deceived consumers with its security updates, which continued to leave behind insecure versions of its Java Standard Edition (SE) software. Java SE is installed on more than 850 million computers worldwide. Oracle is now required to provide consumers the ability to easily uninstall its older software versions from their computers.

“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers.”

The FTC complained that Oracle has been aware of the security issues that its update system leaves behind since 2010. However, it hasn’t notified users about when they would be prompted to update the software, except on the company’s own web site. It would also tell its users that by installing the latest update their computers would be “safe and secure,” even though those machines would still contain the insecure versions of Java SE. Malicious hackers could create malware that would exploit those vulnerabilities and steal users’ sensitive information, said the FTC.

In the past few years, the vast majority of Java-related security vulnerabilities have come from exploiting Java “applets” on the web. The attackers would take advantage of bugs in unpatched Java SE software to infect computers whenever they would connect to a site that would contain a malicious Java applet. This made Java one of the top reasons why computers would get hacked year after year.

Most browsers have stopped supporting Java applets at this point, so the situation is not as bad as it used to be, but there are still some native Java applications out there that require Oracle’s Java SE software installed on people’s machines in order to work. This means people continue to remain vulnerable to Java attacks, especially when Oracle doesn’t ensure that the old exploitable software is removed from PCs with the new updates.

The settlement between Oracle and the FTC requires Oracle to properly notify their users (including via social media) to remove those old Java SE versions and give them the option to uninstall them. The consent order will also prohibit Oracle from making further deceptive statements about the privacy or security of its software in the future.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on Facebook, Google+, RSS, Twitter and YouTube.

  • hoofhearted
    Bundling McAffee and Ask toolbar doesn't help their credibility either.
    Reply
  • sykozis
    McAfee has steadily improved since Intel bought them out. Detection rates have gone up dramatically. Removal rates have gone up dramatically. False Positive rates have dropped dramatically. The software is more stable and has less impact on system performance than it ever has in the past.

    The Ask toolbar, on the other hand, is still considered spyware by most.....and for good reason. I generally won't install software that comes packaged with the Ask toolbar...
    Reply
  • SinxarKnights
    Bundling McAffee and Ask toolbar doesn't help their credibility either.

    I use java and update it regularly. There is no bundled software included.
    Reply
  • Urzu1000
    I use java and update it regularly. There is no bundled software included.

    To my knowledge, they only bundle software for the initial install, and only on the 32-bit version. This information could be outdated. I haven't installed 32-bit in a couple years now.
    Reply
  • dE_logics
    Good for the Windows folks. They got no choice anyway.
    Reply