Oracle has reached a settlement with the U.S. Federal Trade Commission over charges related to Java Software updates and security. The problem that the FTC had with Oracle’s Java updates is that the update mechanism wasn’t actually keeping users secure as it left older versions of Java on the user’s system.
For several years, Java was among the most vulnerable and attacked pieces of software in existence. In 2014, a Cisco report claimed that Java insecurity was the primary cause of 91 percent of all attacks. Java security has improved significantly in 2015, with new updates effectively helping to mitigate risk.
The FTC complaint stated that Oracle’s updates for Java made claims about the security of the update that didn’t actually represent the whole situation and risk.
“When an update was available, consumers would typically receive a prompt to update their Java SE,” the FTC complaint states. “When the consumer proceeded to install the update, the consumer would encounter a series of installation screens, which stated that ‘Java provides safe and secure access to the world of amazing Java content.'”
The FTC complaint goes on to note that during the update process, the Oracle Java update mechanism did not remove all of the older, insecure versions of Java that could still be resident on a user’s system.
“Therefore, after the update process, consumers could still have additional older, insecure iterations of Java SE on their computers,” the FTC complaint states.
Oracle did provide information on its site to help users remove the older versions of Java manually, though the FTC noted that the information was not properly linked to the update process.
“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers.”
As part of the consent order from the FTC, Oracle now must undertake multiple clear and transparent measures to notify customers if older insecure versions of Java are present on a system. Additionally, clear instructions need to be available to enable users to remove older versions of Java, if detected. Oracle will need to regularly report to the FTC on compliance with the consent order for the next 20 years. The consent order itself does not impose an immediate financial penalty, though the FTC notes any violation of the order could result in a civil penalty of up to $16,000.
The FTC’s actions in this case should be applauded as a positive step forward for IT security. A long-held best practice for security is to stay updated, but when older versions remain in place, the positive benefit of an update is negated. Other vendors should take note of this case. Hopefully, the issue of older versions of software being left behind after an update will be one that will disappear in 2016.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.