Oracle settles with FTC over Java’s “deceptive” security patching
Oracle received a public slap on the wrist from the US Federal Trade Commission over Java SE, the desktop runtime for Java. The FTC announced today that it had reached a settlement with Oracle Corporation over a complaint not about the security of Java itself, but about Oracle’s patching process—and how it unintentionally left consumers to believe that the patches themselves were enough.
Java has been a source of perpetual security sorrow due to the number of exploitable flaws that have been discovered in various versions of Java SE. That’s partially due to its huge installed base—over 850 million PCs are estimated to have Java SE installed on them, and it isn’t always the most recent version. Older versions of Java create a major security risk—even when newer versions have been installed.
And there lies the rub of the FTC’s complaint. Since at least 2010, Java SE updates have not done a thorough job of cleaning up the insecure versions—and, the FTC contends, Oracle failed to advise consumers doing the updating that the job was only half done.