Oracle deceived users of its Java software when it claimed to be enhancing security with updates to Java Platform, Standard Edition software (Java SE) and will now make changes imposed by the Federal Trade Commission (FTC).
The FTC's complaint, filed in 2010, states that Oracle knew of significant security issues affecting older versions of Java SE which allowed miscreants to create malware capable of harvesting usernames and passwords for financial accounts, as well as other sensitive personal information.
Oracle promised users that by installing its updates to Java SE both the updates and the consumer's system would be “safe and secure” with the “latest… security updates,” according to a release on the FTC site. But, the company neglected to inform users that the update did not affect early versions of Java SE, which left computers vulnerable to attack.
Oracle will now be required to alert users during the Java SE update process if they have antiquated versions of the software, notify them of the risk, and provide the option to uninstall, the FTC said.After a month open to public comment, the order will be finalized, after which each violation could result in a civil penalty of up to $16,000.