US puts Oracle on 20 year leash over ‘deceptive’ Java security claims
- 30 March, 2016 10:07
The US Federal Trade Commission (FTC) has approved an order that binds Oracle to being truthful with consumers about the security of updates for its widely-installed Java SE software.
The approved order follows a proposed settlement between Oracle and the regulator in December over allegations the tech giant claimed that updating Java SE would make a PC secure when it didn’t because older, vulnerable versions would still be installed.
All four FTC commissioners on Tuesday voted in favour of the proposed settlement.
The FTC said in December that Oracle must ensure its statements about security updates are true given that Java SE is installed on about 850 million PCs and the fact Oracle knew since acquiring it in 2010 it was a prime target for hackers due to old flaws. Oracle regularly patches critical flaws in Java SE and if older versions remain on systems, they could be exploited by hackers.
Oracle now has 10 days to tell consumers when they update Java SE if outdated versions are still installed. It will need to inform them of the risk of outdated versions and provide an tool to uninstall older versions from Java SE 1.4.2 up to the version released in the most recent quarter.
The company will also be required to broadcast via social media, its website and several third-party security products “important information regarding the security of Java SE”, linking to a letter proposed by the FTC but from Oracle that explains the lawsuit.
A portion of the letter reads: “The FTC alleged that, in the past, when you installed or updated Java SE, it didn’t replace the version already on your computer. Instead, each version installed side-by-side at the same time. Later, after we changed this, installing or updating Java SE removed only the most recent version already on your computer. What’s more, in many cases, it didn’t remove any version released before October 2008.”
Oracle must ensure the security notification is available for next two years.
Additionally, for the next five years Oracle will be obliged to provide upon request by the FTC all documents relating to compliance with the order.
Oracle is bound by the order until March 28, 2036, or 20 years from the date of any complaint the FTC makes against Oracle for violating the order, whichever comes later.