Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Oracle Java Security The Courts IT

Oracle Settles FTC Charges Regarding Deceptive Java Security Updates (ftc.gov) 33

An anonymous reader writes: The FTC and Oracle have come to an agreement regarding Oracle's deceptive Java security updates, which only removed recent versions of vulnerable Java SE, but left behind older, insecure versions. Oracle got away without a fine, but will have to overhaul its Java update process to remove older versions as well.
This discussion has been archived. No new comments can be posted.

Oracle Settles FTC Charges Regarding Deceptive Java Security Updates

Comments Filter:
  • by gstoddart ( 321705 ) on Tuesday December 22, 2015 @08:51AM (#51164675) Homepage

    Oracle probably threatened them with a license audit and they'd need to pay eleventy eleven trillion dollars.

  • Good, about time (Score:5, Insightful)

    by mitcheli ( 894743 ) on Tuesday December 22, 2015 @09:00AM (#51164727)
    I noticed this a few months ago when I built a system and had it scanned for compliance and was getting hit with a several year old hole in Java. I was confused because I knew I upgraded Java on the system. Then I realized that the old version was still there. Truth be said, if I build a machine and I don't absolutely need Java on it, it doesn't get loaded. Same goes for Flash.
    • I noticed this a few months ago when I built a system and had it scanned for compliance and was getting hit with a several year old hole in Java. I was confused because I knew I upgraded Java on the system. Then I realized that the old version was still there. Truth be said, if I build a machine and I don't absolutely need Java on it, it doesn't get loaded. Same goes for Flash.

      Could be worse. One former client of mine had an app which used security holes to function so it could do OLE with Excel 2003 and was stuck at java 1.4.2 as late as 2012. No JOKE! Worse this insecure applet was for financial processing ... face palm.

      Since calling apps and inserting data every is insecure it won't function in later versions and during this customers Windows 7 deployment it became a problem. I think we found a hack where we crippled all security for all financial analysts to get it work??!

    • Yeah, it is for this reason that I created a powershell script for all of our computers which will, by default, remove all java versions from the computer at start up. It will check for group membership and install the approved version of java if that computer is in the group.

  • Java is going to nag me to update even more!
  • by swm ( 171547 )

    This seems senseless. What's in it for Oracle to leave ancient versions of Java lying around? Was it just they couldn't be bothered to remove them?

    Are there technical obstacles to removing them? And if so, why not tell the user to remove them manually? It's just another line of boiler plate that no one will read or pay attention to, but then it's the user's problem, not Oracle's. Isn't that what TOS are for? To make everything the user's problem?

    • by Anonymous Coward

      Lots of out of data java programs which don't support newer versions of Java because it would require updating from a removed class to a newer one. My biggest question is: why does the FTC think that any of the versions of Java are secure?

    • Re: WTF? (Score:4, Informative)

      by gstoddart ( 321705 ) on Tuesday December 22, 2015 @09:51AM (#51165011) Homepage

      Was it just they couldn't be bothered to remove them?

      Ding ding ding. You can have anything you want as long as you're willing to pay for it.

      The shit release management practices used by Oracle are already the user's problem.

      The FTC has decided you can't claim to have a tool which says it removes older, insecure versions and then only delete some of those older, insecure versions.

      • by ADRA ( 37398 )

        Its true that Oracle should certainly notify about bad / old versions of Java, but sadly there are cases like:
        1. Third party tools bundle Java in their own installations (Should Oracle notify / ignore / etc?)
        2. Old versions may be necessary for some legacy coding requirements (We're currently stuck with 1.6 due to a third party middleware that dropped support for our use case and haven't had enough time to iron out the migration path)
        3. Along

    • I think their rationale was that they didn't want to take responsibility for breaking compatibility for applications that rely on an older version of Java.

      Since several parallel Java instances can be installed at the same time, why not just leave the old one there and know, for sure, that you won't break anything?

      I am not defending them, I am just saying there *could* (at least at one time) be a valid reason for keeping old versions around.... Who knows, perhaps it was requested by a big client or perhaps w

  • Oracle already intentionally supports the concept of multiple versions by allowing Static installations; when an installation is flagged as Static, it is installed separately, using the full build version number as the folder name rather than the major version only (i.e. jre_1.7.25 rather than jre7), Doing this allows you to call multiple different versions of Java independently, based on your needs. However, if I just run the installer as-is, it does an in-place swap of the version; if I go from a standard
    • Sounds like you have a warning to change how you develop.

      I suspect that running a new installer followed by older ones will keep the static versions intact, but that only baselines. It won't work forever.

      You got some work to do.

  • The FTC's job is to protect the consumer, not be on the corporate kickback payroll.

    FTC fines are a perverse incentive that creates predictable costs to the profitable bottom line of the bottom feeders in a corporate plutocracy.

    Its like Oracle's performance in the America Cup: unethical, admonished, but ultimately victorious.

  • Aren't installations that aren't the primary one rather harmless? If the browser doesn't link to them and they aren't on your run path, then they are just harmless bits, no? If anything with evil intent on your system had the power to execute them, then it was already game over.

  • this looks more like a mistake than anything else. It's nice to see the FTC calling them on it (nobody else had) but punishing companies for a mistake before giving them the chance to correct it wouldn't exactly be fair.

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...