Oracle Settles FTC Charges It Deceived Consumers Over Insecure Java SE Updates

that Oracle will be required to give consumers an easy way to uninstall older, insecure versions of Java SE under the proposed consent order. The company is also required to inform consumers via social media and its website about the settlement and how consumers can remove older versions of Java SE, which are vulnerable to hacking, the FTC said. The commission voted 4-0 to issue the complaint and accept the proposed consent order, which will be published in the Federal Register soon and then be subject to public comment until Jan. 20. At that time, the commission will decide whether to make the proposed consent order final. The FTC alleged Oracle had been aware of "significant security issues" with older Java SE versions, which support browser-based features such as calculators, online gaming, chat rooms and 3D images. The agency said the security flaws "allowed hackers to craft malware that could allow access to consumers' usernames and passwords for financial accounts" and launch phishing attacks. The FTC complaint also alleged Oracle promised consumers Java SE installed updates would protect their systems, but the company failed to say the update "automatically removed only the most recent prior version of the software" not earlier versions that might be installed. The agency said no versions released before Java SE version 6 update 10 were uninstalled. The FTC also alleged internal Oracle documents showed the company was aware of the problem in 2011 and "a large number of hacking incidents were targeting prior versions." Oracle had notices posted on its website about the need to remove older versions, but it didn't indicate the process didn't automatically remove older versions. Oracle did not comment.