DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Oracle Agrees to Settle FTC Charges It Deceived Consumers About Java Software Updates

Posted on December 21, 2015 by Dissent

From the FTC:

Oracle has agreed to settle Federal Trade Commission charges that it deceived consumers about the security provided by updates to its Java Platform, Standard Edition software (Java SE), which is installed on more than 850 million personal computers. Under the terms of a proposed consent order, Oracle will be required to give consumers the ability to easily uninstall insecure, older versions of Java SE.

“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers.”

Oracle’s Java SE provides support for a vast array of features consumers use when browsing the web, including browser-based calculators, online gaming, chatrooms, and 3D image viewing.

According to the FTC’s complaint, since acquiring Java in 2010, Oracle was aware of significant security issuesaffecting older versions of Java SE. The security issues allowed hackers’ to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks.

In its complaint, the FTC alleges that Oracle promised consumers that by installing its updates to Java SE both the updates and the consumer’s system would be “safe and secure” with the “latest… security updates.” During the update process, however, Oracle failed to inform consumers that the Java SE update automatically removed only the most recent prior version of the software, and did not remove any other earlier versions of Java SE that might be installed on their computer, and did not uninstall any versions released prior to Java SE version 6 update 10. As a result, after updating Java SE, consumers could still have additional older, insecure versions of the software on their computers that were vulnerable to being hacked.

In 2011, according to the FTC’s complaint, Oracle was aware of the insufficiency of its update process. Internal documents stated that the “Java update mechanism is not aggressive enough or simply not working,” and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers.

While Oracle did have notices on their website relating to the need to remove older versions because of the security risk they posed, the information did not explain that the update process did not automatically remove all older versions of Java SE. The updates continued to remove only the most recent version of Java SE installed until August 2014.

The complaint charges that this failure to disclose the limitations of the updates in light of the statements made about the security benefits of the updates was deceptive and in violation of Section 5 of the FTC Act.

Under the terms of the proposed consent order, Oracle will be required to notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it. In addition, the company will be required to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software.

The consent order also will prohibit the company from making any further deceptive statements to consumers about the privacy or security of its software and the ability to uninstall older versions of any software Oracle provides.

The FTC has published a blog post for consumers with more information about Java SE’s update issues.

The Commission vote to issue a complaint and accept the proposed consent order was 4-0.

SOURCE: FTC

Related posts:

  • FTC Approves Final Order in Oracle Java Security Case
  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
  • Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
  • FTC Says Genetic Testing Company 1Health Failed to Protect Privacy and Security of DNA Data and Unfairly Changed its Privacy Policy
Category: Business SectorOf Note

Post navigation

← Iranian Hackers Infiltrated New York Dam in 2013
Nursing Home Workers Share Explicit Photos of Residents on Snapchat →

1 thought on “Oracle Agrees to Settle FTC Charges It Deceived Consumers About Java Software Updates”

  1. IA Eng says:
    December 21, 2015 at 1:38 pm

    My problem with older Java was the unspoken issue with the way you had to update this…..software.
    If you tried to update the software and then tried to remove the older version since it did not remove itself, you’d end up removing a good portion of the updated Java, rendering it useless.

    You had to remove both the 32 and 64 bit vulnerable Java’s first and then reinstall the latest Java onto the box, and then reboot. Several times this stuff was more difficult to remove than some AntiVirus software I have used before.

    I see a lot of large companies redesigning their software without Java in mind. Most will go towards the HTML 5 route and avoid this old, vulnerable software.

    I can understand oracle wanting to purchase a software that is practically everywhere – but with that comes an almost unbelievable task for updates and removal of this software that has had more updates than I care to talk about. All I can say is, the software giant that owns Java now seems to like patching misery. I don’t even want to contemplate how many patches this company puts out in a year.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.