Oracle’s stewardship of Java has been scrutinized by the security community, which in 2013 languished through nearly a full year of targeted attacks exploiting zero days and other vulnerabilities in the platform.
Since then, Oracle has improved the Java user experience by denying unsigned applets the ability to execute by default, and putting security restrictions on what older versions of Java can do.
Alas, it wasn’t enough.
The Federal Trade Commission yesterday announced a settlement with Oracle over charges that the software giant deceived customers about Java security, and will require that Oracle give users the ability to uninstall older versions of Java.
Despite numerous calls to ban Java, the software still lives on more than 850 million personal computers, making it a juicy target for hackers eager to exploit its vulnerabilities.
The FTC’s complaint against Oracle alleges that Oracle was aware of vulnerabilities affecting older versions of Java that enabled attacks that put users’ personal and financial data at risk. Worse, the complaint alleges that while Oracle was updating users’ machines with the latest and most secure version of Java, it failed to inform consumers that only the most recent version of the software was removed from their computers. This practice continued until August 2014; earlier versions prior to Java SE 6 update 10 remained installed on computers, leaving those unpatched versions exposed to attackers.
The FTC also cited internal Oracle documents that acknowledge the company knew of the shortcomings of its update processes. The commission also pointed out that while Oracle had information on its website about the need to remove older Java versions, it was not clear that the update process did not automatically remove these older implementations. The FTC labeled these failures “deceptive.”
From the FTC:
“Under the terms of the proposed consent order, Oracle will be required to notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it. In addition, the company will be required to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software.”
Oracle’s failure to remove older versions of Java, dating back to 2010, was especially problematic because attackers, the FTC said, would monitor Oracle’s quarterly patch updates to identify security flaws in the software and craft attacks to exploit them.
Every major exploit kit available for sale on the dark web includes attacks targeting Java vulnerabilities, some folded in within weeks or days of Oracle critical patch updates. The attacks opened the door to the installation of more malware, including keyloggers or exploits for other vulnerabilities.
