Oracle Settles Java Security Deception Charges With FTC

Oracle’s Java updater left older, vulnerable versions of the software on users’ systems, the FTC said

Oracle has settled charges by the US Federal Trade Commission (FTC) that the compamy misled consumers about the security of the Java software installed on their systems, and has agreed to provide the means for vulnerable software to be removed.

Older versions of Java, which the FTC estimates is installed on about 850 million computers, are vulnerable to serious security risks, but Oracle didn’t make this threat clear to users or provide easily accessible tools for these older versions to be removed, according to the FTC.

‘Safe and secure’

oracle_mainMoreover, Oracle’s update system for Java, which it acquired in 2010, deceived users by leading them to believe that it would remove Java-based security vulnerabilities, the FTC said.

The tool told users they would be “safe and secure” with the “latest… security updates”, according to the FTC.

In reality, the Java updater initially didn’t remove any older, vulnerable versions of the software, leaving them present on users’ computers and thus exposing those systems to attack, the FTC said. Later on, a new version of the updater tool only removed the most recent prior version of the software, leaving any older versions on the system.

“As a result, after updating Java SE, consumers could still have additional older, insecure versions of the software on their computers that were vulnerable to being hacked,” the FTC stated.

Oracle knowledge

Oracle was aware of the insufficiency of the update process and of the large number of attacks that made use of vulnerable, older versions of Java installed on users’ systems, according to the FTC, with a 2011 internal Oracle document stating that the “Java update mechanism is not aggressive enough or simply not working”.

The company posted notices on its website informing consumers of the vulnerability of older versions of Java, but didn’t explain that the update mechanism left those older versions in place, the FTC said. The updater removed only the most recent previous version of Java until August 2014, according to the regulator.

Under the terms of the proposed consent order Oracle will be required to notify consumers during the Java update process if they have outdated versions of the software on their systems, notify them of the risk of leaving the software in place, and give them the option of uninstalling it, as well as providing broad notice of the settlement to consumers via the web and social media and refraining from making further deceptive statements about the security of its software.

“The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection, in a statement.

In 2013 Oracle modified Java to address numerous security security issues regarding the platform, but security experts said the changes were insufficient and advised organisations to move away from the platform.

Are you a security pro? Try our quiz!