2 min read

Oracle ordered to admit it deceived users over Java security updates for years


December 22, 2015

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Oracle ordered to admit it deceived users over Java security updates for years

We all know that one of the pillars of computer security is keeping your software up-to-date.

If you have software on your computer which is unpatched and out-of-date then you’re asking for trouble. Malicious hackers can exploit security holes in the stale software running on your PC or Mac to install malware onto your computer, potentially stealing your private information, or spying upon your activities.

Typically these malware attacks target software that is commonly found on users’ computers – Microsoft Word, Adobe Flash, Windows…

And then there’s the desktop runtime for Java, known as Java SE.

Java SE is estimated to be installed on an astonishing 850 million PCs around the world, and has been a frequent visitor to the security headlines over the years after being exploited on multiple occasions by internet attackers.

You would probably like to imagine that if you have been religiously installing software updates for Java over the years that you’ve been doing your bit to reduce the opportunities for hackers to exploit the software on your computers.

Well, when it comes to Java, it’s not quite as simple as that.

Because, in the eyes of the Federal Trade Commission, Oracle has been “deceiving” you with its security updates for Java SE.

Here is what the FTC’s consumer education specialist Nicole Fleming has to say:

“According to the FTC, for years, updating to a new version of Java didn’t automatically remove all the old versions. Oracle eventually changed this practice, but even then, Java updates removed only the most recent version. That left many computers with multiple outdated versions of the software.”

“Why does it matter? Earlier versions of Java had serious security risks that hackers could exploit to steal login information for people’s financial accounts, and to gather other sensitive information through phishing attacks. As long as these older versions remain on a computer, hackers could continue to exploit them.”

In a nutshell, you could have been busy updating Java – but you were failing to remove a serious vulnerability.

Yesterday the FTC announced that Oracle, the developers of Java, had agreed to settle charges that consumers were “deceived about the security provided by updates to its Java Platform, Standard Edition Software (Java SE)”.

As a consequence, Oracle is required to notify users of the risk of having outdated versions of the software on their computer, and provide an easy way to uninstall older, insecure versions of Java. In addition, Oracle must use social media channels and its website to spread news of the settlement, and advise users of how they can remove the dangerous older versions of the software.

According to the FTC, Oracle has known about the “significant security issues affecting older versions of Java SE” since it acquired the software in 2010, and yet did not properly attempt to remove all older versions of Java SE from August 2014.

Yes, you shouldn’t have older versions of Java installed on your computer. And you can remove them by using the Uninstall Tool available from Java’s website.

But I would go one step further. Ask yourself whether you truly need *any* version of Java installed on your computer.

Fewer and fewer apps and website require Java these days (note: Java is not the same thing as JavaScript!) so maybe you could live without it entirely.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like