Categories: Security

Oracle Settles Java Security Deception Charges With FTC

Oracle has settled charges by the US Federal Trade Commission (FTC) that the compamy misled consumers about the security of the Java software installed on their systems, and has agreed to provide the means for vulnerable software to be removed.

Older versions of Java, which the FTC estimates is installed on about 850 million computers, are vulnerable to serious security risks, but Oracle didn’t make this threat clear to users or provide easily accessible tools for these older versions to be removed, according to the FTC.

‘Safe and secure’

Moreover, Oracle’s update system for Java, which it acquired in 2010, deceived users by leading them to believe that it would remove Java-based security vulnerabilities, the FTC said.

The tool told users they would be “safe and secure” with the “latest… security updates”, according to the FTC.

In reality, the Java updater initially didn’t remove any older, vulnerable versions of the software, leaving them present on users’ computers and thus exposing those systems to attack, the FTC said. Later on, a new version of the updater tool only removed the most recent prior version of the software, leaving any older versions on the system.

“As a result, after updating Java SE, consumers could still have additional older, insecure versions of the software on their computers that were vulnerable to being hacked,” the FTC stated.

Oracle knowledge

Oracle was aware of the insufficiency of the update process and of the large number of attacks that made use of vulnerable, older versions of Java installed on users’ systems, according to the FTC, with a 2011 internal Oracle document stating that the “Java update mechanism is not aggressive enough or simply not working”.

The company posted notices on its website informing consumers of the vulnerability of older versions of Java, but didn’t explain that the update mechanism left those older versions in place, the FTC said. The updater removed only the most recent previous version of Java until August 2014, according to the regulator.

Under the terms of the proposed consent order Oracle will be required to notify consumers during the Java update process if they have outdated versions of the software on their systems, notify them of the risk of leaving the software in place, and give them the option of uninstalling it, as well as providing broad notice of the settlement to consumers via the web and social media and refraining from making further deceptive statements about the security of its software.

“The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection, in a statement.

In 2013 Oracle modified Java to address numerous security security issues regarding the platform, but security experts said the changes were insufficient and advised organisations to move away from the platform.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

12 hours ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

16 hours ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

17 hours ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

1 day ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

1 day ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

1 day ago