- March 29, 2016
- Posted by:
- Categories: Posts with image, Vulnerabilities
What did the company agree to do for you?
“Java” may be all the buzz on your social media soon, like news of a well-known celebrity going into rehab.
But the messages you get on Twitter and Facebook may come, not from TMZ, but from the software developer itself, Oracle, to let you know why Java needs a fix.
It’s not voluntary on the part of Oracle. The Federal Trade Commission has just issued a final order in its case against the company, where the agency said Oracle deceived customers by promising them that its Java software updates were “safe and secure,” when they were not.
As part of the deal, Oracle has to notify you through its Twitter or Facebook accounts to help make things right. Then, you might have to take some steps to get your computer back to a safer status.
“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” the FTC’s Jessica Rich said in a press release when the proposed settlement was first announced in December.
“I think this will possibly serve as a legal precedent in the approach to holding software companies liable for security vulnerabilities,” said Patrick C. Miller with Archer Security Group.
What went wrong
In its complaint against Oracle, the FTC said the company knew back in 2011 that there were problems with updates to the Java computing platform, used by 850 million people to do things like play games online, chat, figure out mortgage interest, and see 3D images.
The updates did not get rid of older versions of Java on your computer, so you could still be vulnerable to malicious hackers hovering at the ready to jump on the security gaps in the old Java, the FTC said.
Oracle admitted in internal documents that the “Java update mechanism is not aggressive enough or simply not working,” according to the complaint.
“Safe and secure”
However, the FTC said, Oracle did not tell customers about the problem during the update process, instead showing them installations screens that said things such as “Java provides safe and secure access to the world of amazing Java content,” and that your system would have “the latest . . . security improvements.”
“That left many computers with multiple outdated versions of the software,” the FTC’s Nicole Fleming said in a blog post. “Earlier versions of Java had serious security risks that hackers could exploit to steal login information for people’s financial accounts, and to gather other sensitive information through phishing attacks.”
“As long as these older versions remain on a computer, hackers could continue to exploit them,” Fleming said.
In the final order, the FTC said that Oracle agreed to the consent agreement, but with a statement saying it neither admits nor denies the allegations.
“We decline comment,” Deborah Hellinger with Oracle told Archer News.
“The FTC has long been a bulldog with respect to truth in advertising and cybersecurity,” said Steve Parker with Archer Security Group. “They may be a bit overzealous at times, but the idea that consumers should be properly informed regarding the security of products and services is sound.”
You can wait for social media messages from Oracle telling you how to fix the problem, or you can do it yourself now.
You can visit java.com/uninstall to remove old versions of Java from your computer, the FTC said, or follow one of these steps:
- Update to Java 8 through the official Java website
- Use the uninstall tool on Java’s website for Windows, Mac OS X, Linux, or Solaris
- Visit Oracle’s Help Resources for more options and information
Both Parker and Miller agree that the settlement of this case could mean longer end user license agreements, or EULAs, described by Miller as “that thing you scroll through so you can click ‘next.’”
“This will likely lead to increased disclaimer-type language and reduced marketing fluff, but that’s not a bad thing,” said Parker. “After all, nothing is ‘unbreakable.’”
Bonus protection step
You can take an extra step to protect yourself, said Daniel Lance with Archer Security.
“How do we move forward and improve how we use technology in a secure way, knowing that a competent company could make this kind of mistake?” he asked.
He recommended you “rebuild” your computer every year.
“It’s not uncommon for me to do this a few times a year,” he said. “Most people might not realize that when they ‘uninstall’ something that they are not removing everything. There are few programs that can effectively do this.”
If a “rebuild” sounds daunting, Lance provides these steps:
- Make a backup of your machine, then copy the home folder and drag it off the machine and onto an external drive.
- Then, reinstall the operating system and reload all of your apps.
- Move your home folder back, resetting file permissions, and you are done.
“This can also help with performance issues on SSD’s [solid-state drives] and HDD’s [hard disk drives], so it’s a win-win!” he said.
What Oracle must do
The final order says Oracle needs to post on its Twitter and Facebook accounts with the text, “IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE,” and link to an explanation letter.
Oracle also needs to contact Avast Software, AVG Technologies, ESET North America, Avira, Inc., McAfee, Inc., Symantec Corporation, Trend Micro, Inc., and Mozilla Corporation, asking them to publish the information in their security bulletins, the order said.
During the update process, Oracle will have to tell you if you have the old versions of Java, notify you of the risk, and give you the option to uninstall, according to the order.
Plus, for three years, Oracle has to give you “prompt and free help” in resolving the problem, with a page on its website clearly explaining how to uninstall the old Java, and an electronic form for you to fill out if you have questions.
The order “will prohibit the company from making any further deceptive statements to consumers about the privacy or security of its software and the ability to uninstall older versions of any software Oracle provides,” the FTC said, and the company must write a report in 90 days to show how it has followed—or not followed—the order.
The FTC said in a letter that it does not have the authority to get civil penalties for an initial violation. “However, once the order becomes final, Oracle could be liable for civil penalties of up to $16,000 per violation per day,” the letter said.