Oracle agreed to settle FTC charges that it deceived consumers with its security updates, which continued to leave behind insecure versions of its Java Standard Edition (SE) software. Java SE is installed on more than 850 million computers worldwide. Oracle is now required to provide consumers the ability to easily uninstall its older software versions from their computers.
“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers.”
The FTC complained that Oracle has been aware of the security issues that its update system leaves behind since 2010. However, it hasn’t notified users about when they would be prompted to update the software, except on the company’s own web site. It would also tell its users that by installing the latest update their computers would be “safe and secure,” even though those machines would still contain the insecure versions of Java SE. Malicious hackers could create malware that would exploit those vulnerabilities and steal users’ sensitive information, said the FTC.
In the past few years, the vast majority of Java-related security vulnerabilities have come from exploiting Java “applets” on the web. The attackers would take advantage of bugs in unpatched Java SE software to infect computers whenever they would connect to a site that would contain a malicious Java applet. This made Java one of the top reasons why computers would get hacked year after year.
Most browsers have stopped supporting Java applets at this point, so the situation is not as bad as it used to be, but there are still some native Java applications out there that require Oracle’s Java SE software installed on people’s machines in order to work. This means people continue to remain vulnerable to Java attacks, especially when Oracle doesn’t ensure that the old exploitable software is removed from PCs with the new updates.
The settlement between Oracle and the FTC requires Oracle to properly notify their users (including via social media) to remove those old Java SE versions and give them the option to uninstall them. The consent order will also prohibit Oracle from making further deceptive statements about the privacy or security of its software in the future.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.