News

FTC Approves Oracle Settlement over Deceptive Java Security

• By John K. Waters
• April 12, 2016

The Federal Trade Commission (FTC) has given final approval to the settlement of its complaint against Oracle Corp., which alleged the company deceived consumers by not informing them that its security updates left older, still-vulnerable versions of Java running on their computers, following a required 30-day public comment period.

The settlement, which was proposed late last year, requires Oracle to disclose "clearly and conspicuously" to users during the update process which iterations of Java SE are still running on their machines, which of those iterations pose security risks if not removed and how to easily remove them. The order states that Oracle will be required to do this for the next 20 years.

In its original complaint, the FTC alleged that Oracle failed to inform consumers that the Java SE update process did not remove all prior iterations of the software, and that the company has been aware of the problem since "no later than" 2011. Specifically, Oracle violated Section 5 of the FTC Act, the commission has said, which prohibits "unfair or deceptive acts or practices in or affecting commerce."

The commission cited internal documents in which Oracle admitted that "Java malware propagation [was] successful even though [attackers are] exploiting fixed bugs" and that the "Java update mechanism is not aggressive enough or simply not working." In other words, because the older versions were not uninstalled, the vulnerability the update aimed to fix was still there and exploitable. The updates continued to remove only the most recent version of Java SE installed until August 2014, the FTC stated.

The FTC did allow that Oracle posted notices on its Web site advising users of the need to remove older versions of Java, and that those older versions posed a serious security risk. But the company failed to explain in those notices that the security updates did not automatically remove all older versions, the FTC charged. The commission supported its allegation that this practice harmed consumers by pointing to the large number of hacking incidents that targeted prior versions of Java SE.

"When a company's software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software," Jessica Rich, the director of the FTC's Bureau of Consumer Protection, said in a statement. "The FTC's settlement requires Oracle to give Java users the tools and information they need to protect their computers."

The final Decision and Order available online.

Information about uninstalling older versions of Java is available on Oracle's Web site.

And the FTC has published a blog post for consumers with more information about Java SE's update issues.

Oracle did not return our calls for comment.