2 min read

Oracle ordered to admit it deceived users over Java security updates for years

Graham CLULEY

December 22, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Oracle ordered to admit it deceived users over Java security updates for years

We all know that one of the pillars of computer security is keeping your software up-to-date.

If you have software on your computer which is unpatched and out-of-date then you’re asking for trouble. Malicious hackers can exploit security holes in the stale software running on your PC or Mac to install malware onto your computer, potentially stealing your private information, or spying upon your activities.

Typically these malware attacks target software that is commonly found on users’ computers – Microsoft Word, Adobe Flash, Windows…

And then there’s the desktop runtime for Java, known as Java SE.

Java SE is estimated to be installed on an astonishing 850 million PCs around the world, and has been a frequent visitor to the security headlines over the years after being exploited on multiple occasions by internet attackers.

You would probably like to imagine that if you have been religiously installing software updates for Java over the years that you’ve been doing your bit to reduce the opportunities for hackers to exploit the software on your computers.

Well, when it comes to Java, it’s not quite as simple as that.

Because, in the eyes of the Federal Trade Commission, Oracle has been “deceiving” you with its security updates for Java SE.

Here is what the FTC’s consumer education specialist Nicole Fleming has to say:

“According to the FTC, for years, updating to a new version of Java didn’t automatically remove all the old versions. Oracle eventually changed this practice, but even then, Java updates removed only the most recent version. That left many computers with multiple outdated versions of the software.”

“Why does it matter? Earlier versions of Java had serious security risks that hackers could exploit to steal login information for people’s financial accounts, and to gather other sensitive information through phishing attacks. As long as these older versions remain on a computer, hackers could continue to exploit them.”

In a nutshell, you could have been busy updating Java – but you were failing to remove a serious vulnerability.

Yesterday the FTC announced that Oracle, the developers of Java, had agreed to settle charges that consumers were “deceived about the security provided by updates to its Java Platform, Standard Edition Software (Java SE)”.

As a consequence, Oracle is required to notify users of the risk of having outdated versions of the software on their computer, and provide an easy way to uninstall older, insecure versions of Java. In addition, Oracle must use social media channels and its website to spread news of the settlement, and advise users of how they can remove the dangerous older versions of the software.

According to the FTC, Oracle has known about the “significant security issues affecting older versions of Java SE” since it acquired the software in 2010, and yet did not properly attempt to remove all older versions of Java SE from August 2014.

Yes, you shouldn’t have older versions of Java installed on your computer. And you can remove them by using the Uninstall Tool available from Java’s website.

But I would go one step further. Ask yourself whether you truly need *any* version of Java installed on your computer.

Fewer and fewer apps and website require Java these days (note: Java is not the same thing as JavaScript!) so maybe you could live without it entirely.

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read
Russian courts attacked by CryWiper malware that poses as ransomware Russian courts attacked by CryWiper malware that poses as ransomware
Graham CLULEY

December 05, 2022

2 min read
Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts
Silviu STAHIE

December 02, 2022

1 min read