If you have updated the Java version in your computer and Oracle, which acquired Java developer Sun Microsystems, told you your PC would be safe, you might have been conned.
Oracle has settled the United States Federal Trade Commission’s claim that the company misled customers with information that Java updates also brought security features to their PCs. The settlement requires Oracle to notify users when their version of Java SE installed in their computers is out of date.
It is true, nonetheless, that updating to the latest version of software provides a higher level of protection. However, the case with Oracle is quite different. The company did not tell its customers that the older (and thus vulnerable) versions of Java SE would stay in the PC when there are multiple versions of Java installed in the system.
That means the older versions are still lurking in the less noticeable corners of the computer while hackers are only waiting for the right moment to launch their attacks. Java has a notorious history of attracting a gang of hackers, in large part due to the software’s wide application, from industrial machines to PCs. Also, Java has been plagued with so many bugs, which are being commonly exploited by attackers.
Security experts did not lack for warnings about the implications of outdated Java versions. Old software, by the laws of computing, opens whole new worlds of vulnerabilities that will expose enterprises and consumers to attacks, both simple and sophisticated. If you could remember, in recent history, the United States government requested users to disable the Java software installed in their browsers due to a zero-day vulnerability.
As indicated in the Oracle settlement with FTC, the company failed to clarify the proper way to uninstall outdated Java versions when the company rolled out updates for the software in August of the previous year. FTC also alleged that Oracle knew about a vulnerable update in 2011, but opted to remain silent instead of warning its users about the situation.
In all fairness, Oracle does not lack for reminders about older Java versions staying in the browser and the security risks they pose while not being removed. But the notices posted on Oracle’s website failed to explain that software updates do not automatically remove older versions of the Java software.
The FTC now requires Oracle to warn users if they version of the Java SE is out of date and inform them about the security risks from not manually uninstalling the old software iteration from their PCs.
