Every once in a while regulators do a good thing. The U.S. Federal Trade Commission did one this week.
It has forced Oracle to settle FTC charges that it deceived consumers about the security provided by Java SE updates, which people assumed were making their computers more secure. Unfortunately few realized that to really improve security they ought to remove older versions of the software.
Oracle did have notices on its website on the need to remove older versions. But, the FTC noted, the information did not explain that the updates didn’t automatically remove all older versions of Java SE. Only the versions of the software Java SE installed before August 2014 were removed..
The complaint charges that this failure to disclose the limitations of the updates in light of the statements made about the security benefits of the updates was deceptive and in violation of Section 5 of the FTC Act.
Under the terms of a proposed consent order, Oracle has to
–notify consumers during the Java SE update process if they have outdated versions of the software on their computer,
–notify them of the risk of having the older software, and give them the option to uninstall it.
–and have to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software.
The consent order also will prohibit the company from making any further deceptive statements to consumers about the privacy or security of its software and the ability to uninstall older versions of any software Oracle [Nasdaq: ORCL] provides.
Infosec pros probably know about the need to remove old versions of Java SE. However, employees who look after their own PCs may not, making the enterprise vulnerable if the connect to a corporate network.
Java exploits, often used to get usernames and passwords, are among those regularly packaged in malware kits as attackers look for any way to leverage access if they can get into a network. The FTC estimates Java is installed on 850 million computers.
“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” Jessica Rich, director of the FTC’s bureau of consumer protection, said in a statement. “The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers.”
Oracle took control over Java after its 2010 acquisition of Sun Microsystems. A platform that can run applications regardless of the operating system on a device, it can be found on desktops/laptops, game consoles, scientific supercomputers, cell phones and Internet of Things devices. But the FTC says that since 2011 Oracle was aware of the insufficiency of its update process. Company documents stated that the “Java update mechanism is not aggressive enough or simply not working,” and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers.
The public has until Jan. 16, 2016 to comment on the agreement. After that the commission will decide whether to make the proposed consent order final.
