Oracle Settles FTC Charges Regarding Deceptive Java Security Updates (ftc.gov) 33
An anonymous reader writes: The FTC and Oracle have come to an agreement regarding Oracle's deceptive Java security updates, which only removed recent versions of vulnerable Java SE, but left behind older, insecure versions. Oracle got away without a fine, but will have to overhaul its Java update process to remove older versions as well.
Yeah, right ... (Score:5, Funny)
Oracle probably threatened them with a license audit and they'd need to pay eleventy eleven trillion dollars.
Re:Yeah, right ... (Score:5, Insightful)
Re: (Score:2)
need mod points..
Re: (Score:2)
Somehow, I doubt it.
Apparently that doesn't seem to be problematic for someone to sneak in adware to boost their own bottom line.
Re: (Score:2)
And no McAfee crapware, either.
can't even spell Ass right (Score:2)
bunch'a'losers
Re: (Score:1)
It's now the Tell toolbar.
Re: (Score:1)
Java should just die.
At least on the web end and be used for servlets. It was very awesome and secure during the 1990s and HOT. Sun ruined it and Oracle left it to rot more. It is a classic example of brilliant engineers being ruined and restrained by management.
Re:Yeah, right ... (Score:4, Informative)
Well... Java in the web browser should just die...
Java as a platform is just fine.
If you follow the instructions for enterprise deployment and extract the MSI from the self-extracting archive, you won't get the updater or any adware. You will, however, still need to remove the previous version manually.
now, about that deceptive licensing and charges... (Score:2)
"first, we need to determine precisely what the company is spending on these sailing days..."
Good, about time (Score:5, Insightful)
Re: (Score:2)
I noticed this a few months ago when I built a system and had it scanned for compliance and was getting hit with a several year old hole in Java. I was confused because I knew I upgraded Java on the system. Then I realized that the old version was still there. Truth be said, if I build a machine and I don't absolutely need Java on it, it doesn't get loaded. Same goes for Flash.
Could be worse. One former client of mine had an app which used security holes to function so it could do OLE with Excel 2003 and was stuck at java 1.4.2 as late as 2012. No JOKE! Worse this insecure applet was for financial processing ... face palm.
Since calling apps and inserting data every is insecure it won't function in later versions and during this customers Windows 7 deployment it became a problem. I think we found a hack where we crippled all security for all financial analysts to get it work??!
Re: (Score:2)
Yeah, it is for this reason that I created a powershell script for all of our computers which will, by default, remove all java versions from the computer at start up. It will check for group membership and install the approved version of java if that computer is in the group.
Oh Joy! (Score:2)
WTF? (Score:2)
This seems senseless. What's in it for Oracle to leave ancient versions of Java lying around? Was it just they couldn't be bothered to remove them?
Are there technical obstacles to removing them? And if so, why not tell the user to remove them manually? It's just another line of boiler plate that no one will read or pay attention to, but then it's the user's problem, not Oracle's. Isn't that what TOS are for? To make everything the user's problem?
Re: (Score:1)
Lots of out of data java programs which don't support newer versions of Java because it would require updating from a removed class to a newer one. My biggest question is: why does the FTC think that any of the versions of Java are secure?
Re: WTF? (Score:4, Informative)
Ding ding ding. You can have anything you want as long as you're willing to pay for it.
The shit release management practices used by Oracle are already the user's problem.
The FTC has decided you can't claim to have a tool which says it removes older, insecure versions and then only delete some of those older, insecure versions.
Re: (Score:2)
Its true that Oracle should certainly notify about bad / old versions of Java, but sadly there are cases like:
1. Third party tools bundle Java in their own installations (Should Oracle notify / ignore / etc?)
2. Old versions may be necessary for some legacy coding requirements (We're currently stuck with 1.6 due to a third party middleware that dropped support for our use case and haven't had enough time to iron out the migration path)
3. Along
Re: (Score:2)
I think their rationale was that they didn't want to take responsibility for breaking compatibility for applications that rely on an older version of Java.
Since several parallel Java instances can be installed at the same time, why not just leave the old one there and know, for sure, that you won't break anything?
I am not defending them, I am just saying there *could* (at least at one time) be a valid reason for keeping old versions around.... Who knows, perhaps it was requested by a big client or perhaps w
This new change needs to be optional (Score:1)
Re: (Score:2)
Sounds like you have a warning to change how you develop.
I suspect that running a new installer followed by older ones will keep the static versions intact, but that only baselines. It won't work forever.
You got some work to do.
FTC isn't paid to settle everything with fines (Score:2)
The FTC's job is to protect the consumer, not be on the corporate kickback payroll.
FTC fines are a perverse incentive that creates predictable costs to the profitable bottom line of the bottom feeders in a corporate plutocracy.
Its like Oracle's performance in the America Cup: unethical, admonished, but ultimately victorious.
Harmless? (Score:2)
Aren't installations that aren't the primary one rather harmless? If the browser doesn't link to them and they aren't on your run path, then they are just harmless bits, no? If anything with evil intent on your system had the power to execute them, then it was already game over.
Seems reasonable (Score:2)