Oracle promises to give customers tools that easily uninstall insecure older versions of Java SE that may still lurk as vulnerabilities within Web browsers.
That promise comes in a consent decree with the Federal Trade Commission that is currently up for public review before taking effect in January.
+More on Network World: After Juniper security mess, Cisco searches own gear for backdoors+
The agreement would settle a complaint by the FTC that Oracle knew the old versions of its software were insecure yet told consumers that its security updates would include the latest security updates that would make customers’ systems safe and secure. It didn’t mention that older versions of Java SE would remain on the systems and would continue to pose a security weakness, the FTC alleges.
The FTC claims it has internal Oracle documents from 2011 that indicate the company knew about the shortcomings of its Java updates, describing them as “not aggressive enough or simply not working.” Failure to disclose details about what the updates didn’t include was deceptive, the FTC alleged.
For its part, Oracle, “neither admits nor denies any of the allegations.”
But it agrees to make the tools for removing the older versions prior to Java SE version 6 update 10.
According to the FTC, “Under the terms of the proposed consent order, Oracle will be required to notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it. In addition, the company will be required to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software.”