Industry News

Oracle ordered to admit it deceived users over Java security updates for years

Photo credits: Pixabay / Cristoph

We all know that one of the pillars of computer security is keeping your software up-to-date.

If you have software on your computer which is unpatched and out-of-date then you’re asking for trouble. Malicious hackers can exploit security holes in the stale software running on your PC or Mac to install malware onto your computer, potentially stealing your private information, or spying upon your activities.

Typically these malware attacks target software that is commonly found on users’ computers – Microsoft Word, Adobe Flash, Windows…

And then there’s the desktop runtime for Java, known as Java SE.

Java SE is estimated to be installed on an astonishing 850 million PCs around the world, and has been a frequent visitor to the security headlines over the years after being exploited on multiple occasions by internet attackers.

You would probably like to imagine that if you have been religiously installing software updates for Java over the years that you’ve been doing your bit to reduce the opportunities for hackers to exploit the software on your computers.

Well, when it comes to Java, it’s not quite as simple as that.

Because, in the eyes of the Federal Trade Commission, Oracle has been “deceiving” you with its security updates for Java SE.

Here is what the FTC’s consumer education specialist Nicole Fleming has to say:

“According to the FTC, for years, updating to a new version of Java didn’t automatically remove all the old versions. Oracle eventually changed this practice, but even then, Java updates removed only the most recent version. That left many computers with multiple outdated versions of the software.”

“Why does it matter? Earlier versions of Java had serious security risks that hackers could exploit to steal login information for people’s financial accounts, and to gather other sensitive information through phishing attacks. As long as these older versions remain on a computer, hackers could continue to exploit them.”

In a nutshell, you could have been busy updating Java – but you were failing to remove a serious vulnerability.

Yesterday the FTC announced that Oracle, the developers of Java, had agreed to settle charges that consumers were “deceived about the security provided by updates to its Java Platform, Standard Edition Software (Java SE)”.

As a consequence, Oracle is required to notify users of the risk of having outdated versions of the software on their computer, and provide an easy way to uninstall older, insecure versions of Java. In addition, Oracle must use social media channels and its website to spread news of the settlement, and advise users of how they can remove the dangerous older versions of the software.

According to the FTC, Oracle has known about the “significant security issues affecting older versions of Java SE” since it acquired the software in 2010, and yet did not properly attempt to remove all older versions of Java SE from August 2014.

Yes, you shouldn’t have older versions of Java installed on your computer. And you can remove them by using the Uninstall Tool available from Java’s website.

But I would go one step further. Ask yourself whether you truly need *any* version of Java installed on your computer.

Fewer and fewer apps and website require Java these days (note: Java is not the same thing as JavaScript!) so maybe you could live without it entirely.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

Leave a Reply to MarkA Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Unfortunately there are apps around that won’t work with later versions of Java. We’ve still got LOB apps that need early 1.4 versions and 1.6 versions so uninstalling isn’t an option. OK, we’re behind a firewall but I’m sure we’re not the only large company in that situation.

  • When I last checked 21,727,245 people have bought the PC/Mac version of Minecraft, which means there are 21 million people who need Java on their computers, despite the security issues.