Regulators Accuse Oracle Of Deceiving Customers About Security Of Java Updates

im07t1-java-se-support-2-1526624The owners of more than 850 million personal computers using Oracle’s Java Platform Standard Edition were misled about the security of their devices after software updates left the PCs susceptible to hack attacks according to federal regulators. 

The Federal Trade Commission announced Monday that it had reached a proposed settlement with tech giant Oracle after finding the company deceived consumers about “significant security issues” in its Java software.

According to the FTC’s complaint [PDF], since acquiring Java in 2010, Oracle was aware of security issues in the SE platform that enabled hackers’ to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks.

Java SE provides support for a variety of features that involve browsing the web,  including online gaming, chatrooms, and 3D image viewing.

Despite knowing of the issues, Oracle promised consumers that by installing its updates to Java SE their system would be “safe and secure.”

The FTC claims that Oracle failed to inform customers that the Java SE update automatically removed only the most recent prior version of the software, and did not remove any other version that might have been installed on their computer.

As a result, the complaint states, that after updating SE consumers still had additional older, unsecured versions of the software on their computers.

The FTC complaint accuses Oracle of failing to address the issue despite documentation from 2011 that showed the company was aware of its insufficient update process.

Internal documents stated that the “Java update mechanism is not aggressive enough or simply not working,” and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers, the complaint states.

“While Oracle did have notices on their website relating to the need to remove older versions because of the security risk they posed, the information did not explain that the update process did not automatically remove all older versions of Java SE,” the FTC says in a statement. “The updates continued to remove only the most recent version of Java SE installed until August 2014.”

Under the terms of the proposed settlement [PDF], Oracle will not be required to pay a monetary penalty, but the company must notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it.

Additionally, the company is required to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.