Oracle Settles with FTC over ‘Deceptive’ Java Updates

After investigating complaints about Oracle's handling of automatic updates to its Java Platform Standard Edition software (Java SE), the U.S. Federal Trade Commission (FTC) has ordered the company to provide "broad notice" to customers about how to uninstall older, less secure versions that might still exist on their devices.

The FTC found that Oracle, which acquired Java with its $7.4 billion purchase of Sun Microsystems in 2010, deceived customers by assuring them their systems would be "safe and secure" when it knew that updates could leave vulnerable versions of the software on their computers. The software has been installed on more than 850 million PCs.

The complaint stemmed from that fact that until August 2014 automatic updates of Java SE removed only the most recent previous versions of the software from customers' computers. That potentially left many people with older versions still living somewhere on their systems, leaving them at risk of being hacked.

'Stale Java'

"Earlier versions of Java had serious security risks that hackers could exploit to steal login information for people's financial accounts, and to gather other sensitive information through phishing attacks," FTC consumer education specialist Nicole Fleming said yesterday in the blog post, "What's worse than stale coffee? Stale Java." As long as these older versions stay on a computer, hackers could continue to exploit them, she said.

Java SE provides support for a number of desktop and server applications, including online chat, online game-playing, browser-based calculators and 3D image viewing. It was originally developed by Sun Microsystems.

After Oracle's acquisition of Sun, the FTC found that Oracle knew of "the insufficiency of its update process" and the fact that "a large number of hacking incidents" were targeting users with outdated versions of Java SE on their systems. In a statement announcing its settlement with Oracle, the agency...

Comments are closed.