Oracle settles with FTC over Java’s “deceptive” security patching

20 Jan 2016 | Author: | No comments yet »

Nearly a billion PCs run this notoriously insecure software. Now Oracle has to clean it up..

The Federal Trade Commission announced that it has won concessions in a settlement with software maker Oracle over the company’s failure to uninstall older, insecure Java SE software from customer PCs upon upgrade.Oracle, one of the nation’s largest tech companies, is settling federal charges that it misled consumers about the security of its software, which is installed on roughly 850 million computers around the world.

By abandoning these legacy builds, Oracle essentially left backdoors open on the computers of its customers — backdoors well-known to potential attackers due to their widespread publicity among security researchers. As part of the settlement, Oracle will be responsible for both notifying its users of the terms it agreed to and the risks posed by its uninstalled software, as well as for providing the tools necessary to perform complete removals. Action like this highlights the need for industry watchdogs, as insecure legacy software is a prime example of what economists call externalities: negative consequence of economic behavior that the free market provides no incentive to correct or account for. The software, known as Java SE, helps power many of the features consumers expect to see when they browse the Web, from browser-based games to online chatrooms. That’s partially due to its huge installed base—over 850 million PCs are estimated to have Java SE installed on them, and it isn’t always the most recent version.

According to the FTC, Oracle, which acquired Java in 2010, was aware by 2011 of “significant” security issues affecting older versions of the software. “The security issues allowed hackers’ to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks,” the FTC said. Internal corporate records seized by the FTC noted that the “Java update mechanism is not aggressive enough or simply not working.” Although the company issued updates to fix the vulnerabilities as they were discovered, the updates didn’t uninstall the older, problematic versions of Java, leaving them on the customer’s computer. Anything released before Java SE 6.10 was left completely alone by the update process because these versions were installed in different directories on PCs and not in the default location used by the new updater.

Here you can write a commentary on the recording "Oracle settles with FTC over Java’s “deceptive” security patching".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

About this site