FTC Settles Charges Oracle Misled Customers about Java Security Updates | Practical Law

FTC Settles Charges Oracle Misled Customers about Java Security Updates | Practical Law

The FTC has announced it reached a settlement with Oracle Corporation regarding charges that Oracle failed to fully advise customers about the effectiveness of security updates to its Java SE platform.

FTC Settles Charges Oracle Misled Customers about Java Security Updates

Practical Law Legal Update w-001-1090 (Approx. 3 pages)

FTC Settles Charges Oracle Misled Customers about Java Security Updates

by Practical Law Intellectual Property & Technology
Published on 22 Dec 2015USA (National/Federal)
The FTC has announced it reached a settlement with Oracle Corporation regarding charges that Oracle failed to fully advise customers about the effectiveness of security updates to its Java SE platform.
On December 21, 2015, the FTC issued a press release announcing the settlement of charges against Oracle Corp., which it alleged had misled customers about the effectiveness of security updates it provided to its Java SE platform. The FTC complaint alleged that Oracle knew, at least since it acquired the Java platform in 2010, that hackers monitored new updates to the software in an effort to find and exploit vulnerabilities in older versions of the software.
When Oracle prompted users to install new, updated versions of Java, it advised customers that the updates contained the latest security improvements so the user's systems would be "safe and secure." Although the security update installation process included removing the most recent prior version of the software, older versions still existing on the user’s computer were not removed. The complaint alleged that, while Oracle knew the installation process did not remove older software versions that could pose security risks, it failed to clearly disclose this risk to customers installing the updates, leaving their computers vulnerable.
Under the terms of the settlement, for the next 20 years, Oracle has agreed to:
  • Clearly and conspicuously identify all versions of the Java software currently installed on a computer during any Java installation or update, and explain the security risks to their computers if all outdated versions are not uninstalled.
  • Clearly and conspicuously disclose which, if any, outdated versions of the Java software remain installed on a user’s computer after installation of a new version, and provide instructions on how to uninstall those outdated versions.
  • Notify consumers that their computers may have an outdated, insecure version of the Java software installed, and provide instructions on how to uninstall those outdated versions.
  • Refrain from misrepresenting the privacy or security of new installations or updates of the software.