The software, known as Java SE, helps power many of the features consumers expect to see when they browse the Web, from browser-based games to online chatrooms. But security experts say Java is notoriously vulnerable to attack. It has been linked to a staggering array of security flaws that can enable hackers to steal personal information from users, including the login information for people’s financial accounts, the FTC said.
When Oracle bought Java in 2010, it knew that Java was insecure, the FTC alleged in its initial complaint. Internal corporate records seized by the FTC noted that the "Java update mechanism is not aggressive enough or simply not working."
Although the company issued updates to fix the vulnerabilities as they were discovered, the updates didn't uninstall the older, problematic versions of Java, leaving them on the customer's computer. Oracle never informed users of the fact, the FTC alleged, enabling hackers take advantage of those unpatched flaws.
“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a statement.
As a result, the FTC said, Oracle ran afoul of federal rules aimed at discouraging unfair or deceptive conduct. Oracle is being required to tell users if they have outdated versions of Java on their computers and to "give them the option to uninstall it," according to the FTC. If Oracle violates the terms of its settlement, the company could be subject to fines from the FTC.
An Oracle spokesperson declined to comment.
In a blog post by Nicole Fleming, the FTC’s Consumer Education Specialist, the agency recommended consumers to visit Java.com/uninstall to remove older versions of the program. The post was published under the headline: “What’s worse than stale coffee? Stale Java.”