Oracle Java SE case serves up a cuppa caution

When consumers updated Java SE, which has been installed on more than 850 million computers, Oracle Corporation promised “safe and secure access to the world of amazing Java content” and stated that the updates had “the latest . . . security improvements.” But according to a settlement just announced by the FTC, when it came to those security updates, Java SE was pouring decaf.

Consumers use Java to do everything from playing online games to viewing 3D images. But one of the challenges facing Java SE users was that attackers closely monitored Oracle’s periodic security updates to figure out the weaknesses in earlier versions. The bad guys would then design malware – exploit kits – directed at soft spots in previous Java SE iterations. The results could be catastrophic for consumers. Attackers were known to install keystroke loggers to capture usernames and passwords. Next stop: a smash-and-grab with people’s credit card, bank, and PayPal accounts.

But wouldn’t those Java SE security updates take care of the problem? You’d like to think so, but for some consumers, that’s not what happened. People weren’t told that Java SE updates automatically removed only the most recent version installed on the computer. They also didn’t know that updates wouldn’t remove any version released before a certain date. But according to the FTC, who did know, but wasn’t explaining the problem clearly? Oracle, that’s who.

On an FAQ page, Oracle revealed that “old and unsupported versions of Java on your system present[] a serious security risk” and that “[u]ninstalling older versions of Java from your system ensures that Java applications will run with the most up-to-date security.” But there were two problems with that. First, in this context, “FAQ” may have been an inaccurate description because how frequently do typical consumers pour over pages like that? Second, even if consumers found that page – an iffy if – it still didn’t explain that the Java SE update process didn’t remove all older, insecure iterations of the software.

What’s more, according to the FTC’s complaint, by 2011 Oracle knew its update process wasn’t sufficient to ensure that consumers could always remove all older, insecure versions. As one Oracle insider candidly observed, the “Java update mechanism is not aggressive enough or simply not working.” Yet, as the FTC alleges, Oracle continued to release security updates until as recently as August 2014 without disclosing that the updates may have left vulnerable Java SE versions untouched – and therefore open to attack. In light of the representations Oracle made, the FTC says the company’s failure to disclose was deceptive.

The proposed order prohibits misrepresentations about the privacy or security of certain Oracle software. It also requires Oracle to ensure that Java SE’s update and installation screens tell consumers if certain older versions are on their computers and give them the option to delete them. Oracle also will have to notify affected consumers and walk them through how to fix the problem. 

What should your company take from the case?

First things first. Make sure you’ve corrected the problem on your own computers. The settlement requires Oracle to notify Java users about the vulnerability and provide tools to fix it. In the meantime, you have several options for removing old versions of Java SE. Follow the instructions on Oracle’s java.com/uninstall page or take one of these steps:

There’s another lesson for businesses. For more than a decade, the FTC has advised companies to test their products and services for serious, well-known, and reasonably foreseeable risks. It’s such an important point that it’s repeated in the FTC’s business brochure, Start with Security. But the obvious corollary of that advice is when testing reveals trouble, move quickly to fix the problem and clearly alert affected consumers.

File comments about the proposed settlement by January 20, 2016. And bookmark the Business Center’s data security page for practical guidance, videos, cases, and other free resources to help you start with – and sustain – security.

 

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.