Oracle will be forced to allow customers to easily uninstall old, insecure versions of Java SE after agreeing to settle regulator charges that it deceived consumers about its security updates.
The FTC claimed in a press release that Oracle had promised Java users that by installing its updates they would be “safe and secure.” However, it apparently failed to tell them that the update only automatically removed the most recent prior version of the popular software.
This strategy potentially left older, insecure versions of Java on user machines which could then be exploited by hackers.
What’s more, the FTC claimed that internal documents showed Oracle knew its Java update mechanism was “not aggressive enough or simply not working” as far back as 2011.
The business software giant did inform customers of the need to remove older software versions, via notices on its site. But these failed to explain that the update process didn’t automatically do this, violating Section 5 of the FTC Act, the regulator claimed.
The firm finally sorted the problem out in August 2014, it is claimed.
Oracle will now be required to notify any customers during the update process if they have outdated Java software versions; to inform them about the risks involved with having old software running; and to give them the option of uninstalling it.
It will also need to post a “broad notice” on its site and social channels about the FTC decision and how users can remove old versions of Java.
The FTC added:
“The consent order also will prohibit the company from making any further deceptive statements to consumers about the privacy or security of its software and the ability to uninstall older versions of any software Oracle provides.”
The regulator has posted a consumer blog here and full details of the agreement with Oracle, including the open letter it must post to customers, here.
Photo © Gil c/Shutterstock.com