Oracle settles with FTC over “deceptive” security updates?
How were Oracle deceptive? By only removing the most recent vulnerable version of Java from user’s computers, leaving older versions in situ.
“In 2011, according to the FTC’s complaint, Oracle was aware of the insufficiency of its update process. Internal documents stated that the “Java update mechanism is not aggressive enough or simply not working,” and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers.
While Oracle did have notices on their website relating to the need to remove older versions because of the security risk they posed, the information did not explain that the update process did not automatically remove all older versions of Java SE. The updates continued to remove only the most recent version of Java SE installed until August 2014.
The complaint charges that this failure to disclose the limitations of the updates in light of the statements made about the security benefits of the updates was deceptive and in violation of Section 5 of the FTC Act.”
Not only were there issues with the update process, I remember there was a time when Sun (not Oracle) recommended that old versions of Java be left on a user’s computer. I wrote back in 2005 that that was very bad advice.
The FTC has published a blog post for consumers with more information.
Here is a copy of the Order, which will not terminate until 20 years have passed.