Oracle has reached an agreement with the U.S. Federal Trade Commission to settle charges the agency brought over Java SE, which is installed on more than 850 million computers around the world, and the pending outcome is a win for both consumers and enterprise IT.
The vendor knew since 2010 that older versions of Java SE had "significant security issues" that gave hackers the ability to steal user names and passwords for financial accounts and tap other types of senstive data, the FTC said in a statement:
In its complaint, the FTC alleges that Oracle promised consumers that by installing its updates to Java SE both the updates and the consumer’s system would be “safe and secure” with the “latest… security updates.” During the update process, however, Oracle failed to inform consumers that the Java SE update automatically removed only the most recent prior version of the software, and did not remove any other earlier versions of Java SE that might be installed on their computer, and did not uninstall any versions released prior to Java SE version 6 update 10. As a result, after updating Java SE, consumers could still have additional older, insecure versions of the software on their computers that were vulnerable to being hacked.
Under the terms of the proposed consent order, Oracle will be required to notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it. In addition, the company will be required to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software.
The consent order also will prohibit the company from making any further deceptive statements to consumers about the privacy or security of its software and the ability to uninstall older versions of any software Oracle provides.
Oracle won't have to admit to any wrongdoing or pay a fine under the proposed consent order, according to the Washington Post. The order will be open for public comment through Jan. 20. The FTC will then decide whether to finalize it.
Analysis: Not Just A 'Consumer' Win—An Enterprise One, Too
The FTC's announcement repeatedly refers to "consumers" as the beneficiaries of the proposed settlement. Perhaps unintentionally, that suggests all 850 million PCs with Java SE installed are outside the auspices of enterprise IT. This certainly can't be the case, particularly in the era of BYOD (bring your own device).
Security experts have been on Oracle's case for years, urging the company to fix Java's security issues. In 2013, on a call with Java user group members, Oracle's then-Java security lead Milton Smith acknowledged the language's security shortcomings:
"The plan for Java security is really simple. It's to get Java fixed up, number one, and then number two, to communicate our efforts widely. We really can't have one without the other. No amount of talking or smoothing over is going to make anybody happy. We have to fix Java."
Those are welcome words and the FTC settlement's terms, albeit coming years later, speak to Smith's call for better communication from Oracle regarding Java security. While no amount of outreach is enough to get every computer running vulnerable versions of Java SE up to date, the settlement could nonetheless have significant positive impact.
That said, the settlement doesn't address the broader question of Java's overall security issues, or the state of software security in general.
"The main thing to be said here is that it's another quite blunt demonstration that the word security isn't quite what it seems to be," says Constellation Research VP and principal analyst Steve Wilson. "I don't think any security promise anyone makes is trustworthy. They're always qualified by a lot of technical mumbo-jumbo about standards and audits. This is just the pointy end of a much deeper problem."
Reprints
Reprints can be purchased through Constellation Research, Inc. To request official reprints in PDF format, please contact Sales.
