Oracle must carry apology for botched Java security on its website for two years

Old builds stayed resident, opening security loops. Regulator orders ongoing apology

Oracle has been ordered by the Federal Trade Commission (FTC) to publish a letter of apology on its website for two years after it was found to have deceived customers about "significant security issues" in Java since acquiring it in 2010.

According to the FTC, Oracle failed to tell customers that Java Standard Edition (SE) would only, when updated, remove the most recent 'old' version of Java, but not that versions previous may remain resident.

This, as history has often proven, can cause a number of security issues for individual users.

"Oracle failed to inform consumers that the Java SE update automatically removed only the most recent prior version of the software, and did not remove any other earlier versions of Java SE that might be installed on their computer, and did not uninstall any versions released prior to Java SE version 6 update 10," read the FTC's verdict.

"As a result, after updating Java SE, consumers could still have additional older, insecure versions of the software on their computers that were vulnerable to being hacked," it continued.

The FTC also shared internal documents from Oracle going back to 2011, that even back then stated that the "Java update mechanism is not aggressive enough or simply not working," and which admitted that hackers were actively targeting earlier versions.

"When a company's software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software," Jessica Rich, director of the FTC's Bureau of Consumer Protection, said in a statement accompanying the verdict.

"The FTC's settlement requires Oracle to give Java users the tools and information they need to protect their computers."

As well as publishing the letter, Oracle must also now agree to "notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it," the FTC's statement read.

Oracle has told Computing that the company has "nothing to add at this time," on the matter.

The letter Oracle must print for the next two years is reproduced in full below:

Dear Java SE customer:

We're sending you this message because you may have downloaded, installed, or updated Java SE software on your computer. The Federal Trade Commission, the nation's consumer protection agency, has sued us for making allegedly deceptive security claims about Java SE. To settle the lawsuit, we agreed to contact you with instructions on how to protect the personal information on your computer by deleting older versions of Java SE from your computer. Please take the suggested steps as soon as possible.

Here's a summary of what the FTC lawsuit is about. The FTC alleged that, in the past, when you installed or updated Java SE, it didn't replace the version already on your computer. Instead, each version installed side-by-side at the same time. Later, after we changed this, installing or updating Java SE removed only the most recent version already on your computer. What's more, in many cases, it didn't remove any version released before October 2008.

Why was that a problem? Earlier versions of Java SE have serious security risks we corrected in later versions. When people downloaded a new version, we said they could keep Java SE on their computer secure by updating to the latest version or by deleting older versions using the Add/Remove Program utility in their Windows system. But according to the FTC, that wasn't sufficient. Updating to the latest version didn't always remove older versions. So many computers had several versions installed.

That creates a serious security vulnerability. Even if you installed the most recent version of Java SE, the personal information on your computer may be at risk because earlier, less secure versions could still be executed.

To fix this problem, visit http://java.com/uninstall, where instructions on how to uninstall older versions of Java SE are provided. This webpage also provides a link to the Java SE uninstall tool, which you can use to uninstall older versions of Java SE. You may also go to http://java.com/uninstallhelp if you have any additional questions or concerns.