You made this mess, now you'll clean it up.
See Also: Rethinking Endpoint Security
That's the security message of the Federal Trade Commission's Dec. 21 settlement with technology giant Oracle. The agency alleges that Oracle has been making "deceptive security claims about Java SE" relating to how it has been updating - or not - older versions of the run-time environment and browser plug-ins. Oracle acquired Java when it bought Sun Microsystems in 2010.
"It is vital that ... security updates actually provide security for the software"
"When a company's software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software," says Jessica Rich, director of the FTC's Bureau of Consumer Protection. "The FTC's settlement requires Oracle to give Java users the tools and information they need to protect their computers."
Here's how Oracle sees the matter: "The FTC alleged that, in the past, when you installed or updated Java SE, it didn't replace the version already on your computer. Instead, each version installed side-by-side at the same time. Later, after we changed this, installing or updating Java SE removed only the most recent version already on your computer. What's more, in many cases, it didn't remove any version released before October 2008."
That language comes via a security notice, including Java uninstallation instructions, that Oracle has promised to distribute via its own Facebook and Twitter accounts, according to the FTC's proposed consent order, which is now open for public comment for 30 days. Oracle has also promised to contact numerous anti-virus vendors and request that they too issue the security alert verbatim to their users.
The FTC's move is notable, because it's the first time the agency has cracked down on a company for failing to eliminate vulnerable versions of its software when users install a new update. In this case, the agency alleges that whenever a Java update was available, Oracle's installation screens stated that "Java provides safe and secure access to the world of amazing Java content," and that after updating, the user's system would have "the latest ... security improvements."
By failing to delete older versions of Java installed on the same system, Oracle arguably left users at even greater risk, because they might have reasonably expected to have expunged older, dangerous versions of Java when installing the latest update.
"The security issues allowed hackers to craft malware that could allow access to consumers' usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks," the FTC notes.
According to an internal Oracle memorandum cited by the FTC, the company knew that it had a problem with the updating process, reporting that the "Java update mechanism is not aggressive enough or simply not working." The FTC alleges that Oracle failed to provide proper warnings or help to users.
The FTC's move has been lauded by some security researchers. "We're really glad to learn that the U.S. regulatory body investigated Oracle and put the company to order [over] its deceitful practices and claims regarding Java SE security," veteran Java bug-hunter Adam Gowdiak, who heads Polish security and vulnerability research firm Security Explorations, tells me. "We hope the FTC ruling will pave the way for making software vendors liable for the quality and security of their products some time in the future."
Why Attackers Love Java
Java has been frequently targeted by automated crimeware exploit toolkits. That's because there are so many outdated versions of Java - sporting known vulnerabilities - offering cybercriminals an easy and reliable way to compromise numerous PCs. Recently published research from security vendor Kaspersky Lab, for example, notes that in 2015, Java was targeted by online attackers three times as frequently as Adobe Flash. Overall in 2015, 13 percent of all online attacks targeted Java, putting it in third place after browsers (62 percent) and Android (14 percent).
A while back, I documented the difficulty that users often faced when trying to determine how many different instances of Java might be installed on their Windows or Mac OS X device. The What Version of Java Are You Using? website, for example, offers nine techniques to help users try and answer those questions.
The latest version of Java - version 8, first released in March 2014 - finally included the ability to automatically install new Java updates from Oracle, which is an essential defense for keeping the software patched, especially after new zero-day attacks get discovered. In January, Oracle also began automatically upgrading all Java 7 users to Java 8.
Flurry of FTC Enforcement Actions
The FTC's Oracle settlement follows the agency reaching a settlement agreement with the hotel chain Wyndham over three security breaches in 2008 and 2009 that exposed information on 619,000 payment cards as well as personally identifiable information (see Wyndham Agrees to Settle FTC Breach Case). Likewise, despite a recent setback, the FTC has also promised to continue to pursue its case against medical testing laboratory LabMD over claims that the company suffered two data breaches that left consumers at risk of identity theft (see FTC to Appeal Ruling that Dismissed LabMD Case).
The FTC lacks the legal authority to fine organizations outright if they break consumer protection laws. But the agency is empowered to investigate alleged violations and file related complaints, on which a court can then rule. Instead, many organizations agree to a settlement - without confirming or denying the FTC's allegations - that specifies that they will be fined if they break the settlement terms, and which precludes them from challenging or contesting the settlement terms.
Thus it's notable that last week, the FTC announced that identify theft monitoring firm LifeLock settled a repeat infraction for a staggering $100 million, relating to the company's failure to establish and maintain an information security program to protect its customers' personally identifiable information.
Oracle, too, now faces the prospect of a massive fine if it violates the proposed FTC settlement agreement. Let's hope instead that the company simply cleans up the Java mess it created.