Oracle Agrees to FTC Settlement Over Java Security Lapses

"What's worse than stale coffee? Stale Java."

Dec 23 2015, 3:50pm

Image: evan p. cordes/Flickr

Oracle has agreed to settle FTC charges that it had been deceiving consumers about the security of updates to its nearly ubiquitous Java SE platform, which it acquired in 2010 as part of Sun Microsystems. Under the terms of a proposed consent order, the corporation will be required to offer users the ability to quickly and easily uninstall older, insecure Java versions. The vulnerabilities date back to at least 2011.

The problem isn't the most obvious or glaring of security vulnerabilities, but serves as a good example of how problems can sneak in via legacy software. Basically, Oracle wasn't doing a good enough job of moving users from previous and insecure Java versions to new versions.

Java SE is the "standard edition" of the general Java development platform, a more or less ubiquitous collection of tools used to create applications for desktops, webpages, and embedded/Internet of Things devices.

When a user went to download a new Java version, they were told that their security was "safe and secure" with the "latest… security updates," according to the FTC. What they were not told, however, was that the installer only removed the most recent Java installation from the user's system. Earlier versions could remain, and this wasn't made sufficiently clear.

As a result, it was easy to accumulate old versions of Java without realizing it, despite installing the new version. According to the FTC complaint, these outdated versions were the targets of a large number of hacking incidents. It's generally the case, for Java and well beyond, that outdated software becomes more and more vulnerable is it becomes older less supported by its manufacturer.

As an FTC blog post (titled "What's worse than stale coffee? Stale Java") explains, "earlier versions of Java had serious security risks that hackers could exploit to steal login information for people's financial accounts, and to gather other sensitive information through phishing attacks. As long as these older versions remain on a computer, hackers could continue to exploit them."

Oracle was aware of the vulnerability as early as 2011, according to the FTC. "While Oracle did have notices on their website relating to the need to remove older versions because of the security risk they posed, the information did not explain that the update process did not automatically remove all older versions of Java SE," a press release from the agency explains. "The updates continued to remove only the most recent version of Java SE installed until August 2014."

The fixes are painless enough and pretty much just involve providing clearer information, but it's still not a great look for Oracle, which has already been accused of neglecting the Java development platform.