News

Oracle Settles with FTC over Deceptive Java Security

• By John K. Waters
• January 13, 2016

Oracle Corp. has agreed to overhaul its Java security update process to settle Federal Trade Commission (FTC) charges that the company deceived consumers by not informing them that the updates left older, still vulnerable versions of Java running on their computers.

"By failing to inform consumers that the Java SE update process did not remove all prior iterations of the software," the FTC stated in its complaint, "Oracle left some consumers vulnerable to a serious, well known, and reasonably foreseeable security risk that attackers would target these computers through exploit kits, resulting in the theft of personal information ...."

The failure to disclose or disclose adequately, the FTC charged, was "is a deceptive act or practice."

"When a company's software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software," Jessica Rich, the director of the FTC's Bureau of Consumer Protection, said in a statement. "The FTC's settlement requires Oracle to give Java users the tools and information they need to protect their computers."

Under the agreement, Oracle is required to disclose "clearly and conspicuously" to users during the update process which iterations of Java SE are still running on their machines, which of those iterations pose security risks if not removed, and how to easily remove them.

The FTC alleged that Oracle has been aware of the problem since "no later than" 2011, and it cited internal documents in which Oracle admitted that "Java malware propagation [was] successful even though [attackers are] exploiting fixed bugs" and that the "Java update mechanism is not aggressive enough or simply not working." In other words, because the older, versions were not uninstalled, the vulnerability the update aimed to fix was still there and exploitable. The updates continued to remove only the most recent version of Java SE installed until August 2014, the FTC stated.

The FTC did allow that Oracle posted notices on its Web site advising users of the need to remove older versions of Java, and that those older versions posed a serious security risk. But the company failed to explain in those notices that the security updates did not automatically remove all older versions, the FTC charged. The commission supported its charge that this practice harmed consumers by pointing to the large number of hacking incidents that targeted prior versions of Java SE.

Information about uninstalling older versions of Java is available on Oracle's Web site.