Oracle Ordered by the FTC To Repair Flawed Software
Washington — Oracle, one of the nation’s largest tech companies, is settling federal charges that it misled consumers about the security of its software, which is installed on roughly 850 million computers around the world. The company won’t be paying a fine, and it isn’t admitting to any wrongdoing or fault in its settlement with the Federal Trade Commission. But Oracle will be required to tell consumers explicitly if they have outdated, insecure copies of the software — and to help them remove it.
The software, known as Java SE, helps power many of the features consumers expect to see when they browse the Web, from browser-based games to online chatrooms. But security experts say Java is notoriously vulnerable to attack. It has been linked to a staggering array of security flaws that can potentially allow hackers to steal personal information from its users. Many have recommended disabling or uninstalling Java altogether rather than risk being targeted by online criminals. When Oracle bought Java in 2010, it knew that Java was insecure, the FTC alleged in its initial complaint. Internal corporate records seized by the FTC noted that the “Java update mechanism is not aggressive enough or simply not working.”
Although the company issued updates to fix the vulnerabilities as they were discovered, the updates didn’t uninstall the older, problematic versions of Java, leaving them on the customer’s computer. Oracle never informed users of the fact, the FTC alleged, enabling hackers take advantage of those unpatched flaws.
As a result, the FTC said, Oracle ran afoul of federal rules aimed at discouraging unfair or deceptive conduct. Oracle is being required to tell users if they have outdated versions of Java on their computers and to “give them the option to uninstall it,” according to the FTC.