The Federal Trade Commission (FTC) is penalizing Oracle for leaving millions of computers vulnerable to hacking. As a result, Oracle will be required to give consumers an easy solution to uninstall insecure and older versions of its Java Standard Edition (Java SE) software.
According to the FTC, when Oracle acquired Java back in 2010, it was aware of significant security issues affecting older versions of Java SE. The vulnerabilities could be exploited by hackers through malware and phishing attacks that would give them access to consumers’ financial accounts and other personal information. The FTC alleges that Oracle deceived its customers about its Java security updates by saying Java SE and system updates would be secure in the latest security updates. Instead, the FTC said the updates only removed the latest version of Java SE, and failed to remove any earlier versions that might be installed on a consumer’s system. As a result, more than 850 million personal computers still contained insecure versions.
“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers.”
As part of an agreement, Oracle will have to notify consumers during the Java SE update process if they have any outdated versions of the software installed on their computer, notify them of the risk, and give them the option to uninstall it.