Oracle Settles FTC Charges Over Java Security

The regulator alleged Oracle misled consumers into believing its updates addressed security issues that hackers could exploit.
Matthew HellerDecember 21, 2015

Oracle has agreed to settle charges that it misrepresented the effectiveness of security updates to Java Standard Edition by failing to notify consumers that the widely-used software could still be vulnerable to hackers.

The U.S. Federal Trade Commission said Oracle promised consumers its updates would make Java SE “safe and secure” when, in fact, they did not remove older versions of the software with security issues that hackers could use to gain access to consumers’ usernames and passwords for financial accounts.

In a consent order announced Monday, Oracle agreed to notify consumers during the update process if they have outdated versions on their computer, notify them of the risk of having the older software, and give them the option to uninstall it.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a news release. “The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers.”

Java SE is installed on more than 850 million personal computers. According to the FTC, Oracle, which acquired Java in 2010, was aware by 2011 of “significant” security issues affecting older versions of the software.

“The security issues allowed hackers’ to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks,” the FTC said.

Oracle promised consumers that by installing its updates to Java SE, the consumer’s system would be “safe and secure,” the FTC alleged, but did not inform consumers that the updates “automatically removed only the most recent prior iteration of Java SE installed on the consumer’s computer, even if the consumer had multiple iterations of Java SE installed.”

As a result, after updating Java SE, consumers could still have additional older, insecure versions of the software on their computers that were vulnerable to being hacked.