After investigating complaints about Oracle's handling of automatic updates to its Java Platform Standard Edition software (Java SE), the U.S. Federal Trade Commission (FTC) has ordered the company to provide "broad notice" to customers about how to uninstall older, less secure versions that might still exist on their devices.
The FTC found that Oracle, which acquired Java with its $7.4 billion purchase of Sun Microsystems in 2010, deceived customers by assuring them their systems would be "safe and secure" when it knew that updates could leave vulnerable versions of the software on their computers. The software has been installed on more than 850 million PCs.
The complaint stemmed from that fact that until August 2014 automatic updates of Java SE removed only the most recent previous versions of the software from customers' computers. That potentially left many people with older versions still living somewhere on their systems, leaving them at risk of being hacked.
"Earlier versions of Java had serious security risks that hackers could exploit to steal login information for people's financial accounts, and to gather other sensitive information through phishing attacks," FTC consumer education specialist Nicole Fleming said yesterday in the blog post, "What's worse than stale coffee? Stale Java." As long as these older versions stay on a computer, hackers could continue to exploit them, she said.
Java SE provides support for a number of desktop and server applications, including online chat, online game-playing, browser-based calculators and 3D image viewing. It was originally developed by Sun Microsystems.
After Oracle's acquisition of Sun, the FTC found that Oracle knew of "the insufficiency of its update process" and the fact that "a large number of hacking incidents" were targeting users with outdated versions of Java SE on their systems. In a statement announcing its settlement with Oracle, the agency noted that internal documents showed the company was aware that the "Java update mechanism is not aggressive enough or simply not working."
Despite that knowledge, Oracle continued to assure customers installing newer versions of Java SE that their systems would be "safe and secure." The FTC also found that while Oracle did provide information online about the importance of removing older versions of Java SE, it did not make it clear that its updating process would not automatically remove those.
Other Past Vulnerabilities
Systems running Java have been exposed to a variety of hacking and malware threats over the years. For example, a zero-day vulnerability in 2013 enabled suspected state-sponsored hackers to access employee systems at Apple and Facebook.
Earlier this year, adware -- an Ask Search toolbar -- was also discovered installing on the systems of Mac users when they installed Java. Windows users had long complained about the inclusion of such adware in the Java installer.
Under the FTC's new proposed consent order, Oracle will be required to notify customers about the Java SE update process and the risks of older software, as well as provide information on how to uninstall older versions. Oracle will also be required to provide notices via its Web site and social media, and the company is prohibited from making deceptive statements about its software security or privacy.