Oracle Settles FTC Charges Regarding Deceptive Java Security Updates (ftc.gov)

← Back to Stories (view on slashdot.org)

Oracle Settles FTC Charges Regarding Deceptive Java Security Updates (ftc.gov)

Posted by timothy on Tuesday December 22, 2015 @01:45AM from the why-didn't-they-use-a-crystal-ball dept.

An anonymous reader writes: The FTC and Oracle have come to an agreement regarding Oracle's deceptive Java security updates, which only removed recent versions of vulnerable Java SE, but left behind older, insecure versions. Oracle got away without a fine, but will have to overhaul its Java update process to remove older versions as well.

33 comments

Min score:

Reason:

Sort:

Yeah, right ... by gstoddart · 2015-12-22 01:51 · Score: 4, Funny

Oracle probably threatened them with a license audit and they'd need to pay eleventy eleven trillion dollars.

--
Lost at C:>. Found at C.
1. Re:Yeah, right ... by crunchy_one · 2015-12-22 01:57 · Score: 4, Insightful
  
  So, they're going to stop shoving the Ask toolbar as part of their update process?
2. Re:Yeah, right ... by Virtucon · 2015-12-22 01:59 · Score: 1
  
  need mod points..
  
  --
  Harrison's Postulate - "For every action there is an equal and opposite criticism"
3. Re:Yeah, right ... by Billly+Gates · 2015-12-22 02:06 · Score: 0
  
  Java should just die.
  At least on the web end and be used for servlets. It was very awesome and secure during the 1990s and HOT. Sun ruined it and Oracle left it to rot more. It is a classic example of brilliant engineers being ruined and restrained by management.
  
  --
  http://saveie6.com/
4. Re:Yeah, right ... by gstoddart · 2015-12-22 02:07 · Score: 1
  
  Somehow, I doubt it.
  Apparently that doesn't seem to be problematic for someone to sneak in adware to boost their own bottom line.
  
  --
  Lost at C:>. Found at C.
5. Re:Yeah, right ... by The-Ixian · 2015-12-22 02:59 · Score: 3, Informative
  
  Well... Java in the web browser should just die...
  Java as a platform is just fine.
  If you follow the instructions for enterprise deployment and extract the MSI from the self-extracting archive, you won't get the updater or any adware. You will, however, still need to remove the previous version manually.
  
  --
  My eyes reflect the stars and a smile lights up my face.
6. Re:Yeah, right ... by Anonymous Coward · 2015-12-22 03:15 · Score: 0
  
  You're not far wrong. I used to be a developer for $LARGE_US_MOTOR_COMPANY that standardised on Sparc + Oracle (via their consultants sucking up all DC funds). After many years of slow performing applications, and massive license fees (with per CPU increases well before MS thought of them), LAMP started to get a foothold via smaller projects on generic x86 boxen. As soon as these consultants got wind of what other departments were delivering, shit hit the fan.
  The next thing you know, we're all dealing with "auditors" looking for surreptitious usage of Oracle on every box listed in the project docs. I've no idea how they managed it to get this authority. It was a right fucking pain having to go over the same shit time and time again, obviously wasting our time just because they could. The long and short of it was: kill the LAMP installs and these tossers soon fucked off else.
  The depts I worked for took it on the chin, but once those 16-way boxen had reached EOL, they were all canned for RHEL.
7. Re:Yeah, right ... by Wootery · 2015-12-22 07:19 · Score: 1
  
  And no McAfee crapware, either.
8. Re:Yeah, right ... by Tablizer · 2015-12-22 11:42 · Score: 1
  
  It's now the Tell toolbar.
  
  --
  Table-ized A.I.
Good, about time by mitcheli · 2015-12-22 02:00 · Score: 4, Insightful

I noticed this a few months ago when I built a system and had it scanned for compliance and was getting hit with a several year old hole in Java. I was confused because I knew I upgraded Java on the system. Then I realized that the old version was still there. Truth be said, if I build a machine and I don't absolutely need Java on it, it doesn't get loaded. Same goes for Flash.

--
Select from tblFriends where interesting >= 4;
1. Re:Good, about time by Billly+Gates · 2015-12-22 02:09 · Score: 1
  
  I noticed this a few months ago when I built a system and had it scanned for compliance and was getting hit with a several year old hole in Java. I was confused because I knew I upgraded Java on the system. Then I realized that the old version was still there. Truth be said, if I build a machine and I don't absolutely need Java on it, it doesn't get loaded. Same goes for Flash.
  Could be worse. One former client of mine had an app which used security holes to function so it could do OLE with Excel 2003 and was stuck at java 1.4.2 as late as 2012. No JOKE! Worse this insecure applet was for financial processing ... face palm.
  Since calling apps and inserting data every is insecure it won't function in later versions and during this customers Windows 7 deployment it became a problem. I think we found a hack where we crippled all security for all financial analysts to get it work??!
  
  --
  http://saveie6.com/
2. Re:Good, about time by The-Ixian · 2015-12-22 03:01 · Score: 1
  
  Yeah, it is for this reason that I created a powershell script for all of our computers which will, by default, remove all java versions from the computer at start up. It will check for group membership and install the approved version of java if that computer is in the group.
  
  --
  My eyes reflect the stars and a smile lights up my face.
moms ready to settle with wmd on credit cabals? by Anonymous Coward · 2015-12-22 02:01 · Score: 0

infinite patience no longer included? truth+mercy=justice for everybody?
Oh Joy! by fluffernutter · 2015-12-22 02:10 · Score: 1

Java is going to nag me to update even more!

--
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
WTF? by swm · 2015-12-22 02:19 · Score: 1

This seems senseless. What's in it for Oracle to leave ancient versions of Java lying around? Was it just they couldn't be bothered to remove them?
Are there technical obstacles to removing them? And if so, why not tell the user to remove them manually? It's just another line of boiler plate that no one will read or pay attention to, but then it's the user's problem, not Oracle's. Isn't that what TOS are for? To make everything the user's problem?
1. Re: WTF? by Anonymous Coward · 2015-12-22 02:34 · Score: 1
  
  Lots of out of data java programs which don't support newer versions of Java because it would require updating from a removed class to a newer one. My biggest question is: why does the FTC think that any of the versions of Java are secure?
2. Re: WTF? by gstoddart · 2015-12-22 02:51 · Score: 3, Informative
  
  Was it just they couldn't be bothered to remove them?
  Ding ding ding. You can have anything you want as long as you're willing to pay for it.
  The shit release management practices used by Oracle are already the user's problem.
  The FTC has decided you can't claim to have a tool which says it removes older, insecure versions and then only delete some of those older, insecure versions.
  
  --
  Lost at C:>. Found at C.
3. Re: WTF? by The-Ixian · 2015-12-22 03:07 · Score: 1
  
  I think their rationale was that they didn't want to take responsibility for breaking compatibility for applications that rely on an older version of Java.
  Since several parallel Java instances can be installed at the same time, why not just leave the old one there and know, for sure, that you won't break anything?
  I am not defending them, I am just saying there *could* (at least at one time) be a valid reason for keeping old versions around.... Who knows, perhaps it was requested by a big client or perhaps was even a business need for themselves internally, so that's how they left it... it's a feature!
  
  --
  My eyes reflect the stars and a smile lights up my face.
4. Re: WTF? by ADRA · 2015-12-22 05:17 · Score: 1
  
  Its true that Oracle should certainly notify about bad / old versions of Java, but sadly there are cases like:
  1. Third party tools bundle Java in their own installations (Should Oracle notify / ignore / etc?)
  2. Old versions may be necessary for some legacy coding requirements (We're currently stuck with 1.6 due to a third party middleware that dropped support for our use case and haven't had enough time to iron out the migration path)
  3. Along with #2, some JavaWebStart based apps (if anyone actually uses this anymore) can be specifically flagged for an older generation JVM's. I'm not sure what the best bet is for Oracle in these cases.
  I'd say the notification of any outstanding legacy JVM's is the best case and ideally (though much harder) identifying which applications are actually still depending on these legacy versions.
  
  --
  Bye!
5. Re: WTF? by Anonymous Coward · 2015-12-22 08:40 · Score: 0
  
  I don't know about the more recent versions, but PeopleSoft for some time had a hard java version requirement.
  You don't take chances with the paychecks.
6. Re: WTF? by Anonymous Coward · 2015-12-27 06:01 · Score: 0
  
  Oracle should have made a notification message.
  Noticing the user of the legacy dependency.
  (And maybe show a list of programs depending on the older java versions together with the JVM those programs depend on.)
  If the user would be notified of this problem.
  I see nothing wrong with making the tool only remove older JVM's not used by any programs and leave used JVM's in place as default.
  On the condition the user is notified of this of course.
Bad Idea by Anonymous Coward · 2015-12-22 02:38 · Score: 0

New versions of Java introduce breaking changes and often aren't compatible with older software. The best solution? Install the versions of Java required by your software and disable Java in the browser. Thanks to NPAPI deprecation, this is practically done for you.
1. Re:Bad Idea by Anonymous Coward · 2015-12-22 02:55 · Score: 0
  
  Not just new versions, 1.6 update 10 broke compatibility for some features, with 1.5.x and 1.6 update =9 ,
  1.7 update 51 (maybe 50?) forced a user side change to enable the same functionality 1.7 update 49 supported.
  I think I remember something similar with 1.5
  and I don't have any products live on 1.8 yet so can't speak to it much.
Probably no one wants to update to the new version by Anonymous Coward · 2015-12-22 03:15 · Score: 0

Why is Oracle's software always covered in pukey beige? Oracle's user-interface design looks like you taught IBM Watson how to search the internet for bad UIs and it got so sick and dumped diarrhea all over their software.
This new change needs to be optional by Keiran+Halcyon · 2015-12-22 03:44 · Score: 1

Oracle already intentionally supports the concept of multiple versions by allowing Static installations; when an installation is flagged as Static, it is installed separately, using the full build version number as the folder name rather than the major version only (i.e. jre_1.7.25 rather than jre7), Doing this allows you to call multiple different versions of Java independently, based on your needs. However, if I just run the installer as-is, it does an in-place swap of the version; if I go from a standard install of Java 1.7.25 (installed to a folder called jre7) to a standard install of 1.7.55, it just empties the jre7 folder and installs Patch 55 in the same place. The existing installer already removes non-Static versions now, so if they're going to start forcing more removals of older versions, I can only assume that means it will remove even Static installations. This Static removal policy needs to be a command-line toggle that I can prevent. My company utilizes Java as a cross-platform development engine to run one of our major products on. Each version of our software is tied to a specific version of Java, and as such, engineers end up having multiple versions of Java installed to support each version of our software. Because of this, we're always installing newer versions of Java while not wanting to remove the older versions.
1. Re:This new change needs to be optional by Bite+The+Pillow · 2015-12-22 04:27 · Score: 1
  
  Sounds like you have a warning to change how you develop.
  I suspect that running a new installer followed by older ones will keep the static versions intact, but that only baselines. It won't work forever.
  You got some work to do.
2. Re:This new change needs to be optional by Anonymous Coward · 2015-12-22 05:33 · Score: 0
  
  I currently maintain 1.5 and 1.6 on my machine to be able to manage ancient HP printers. There are no firmware updates for these and they require specific versions of Java. I should throw out working equipment because people in general are too lazy to remove versions they don't need?
Better yet by Anonymous Coward · 2015-12-22 03:44 · Score: 0

They should quit trying to get Ask installed - yep. But also let's get some freakin clarity to the fact that all these updates do most times is break stuff. If there's an update, the browsers now go ape shit until you update. And it can reset your previous settings. Oh and all those old and never to be updated devices out there we need to connect to, now cannot because of the dang Java update to a later level. Brilliant. Every update is now an "OMG CRITICAL SECURITY PATCH! OMG!" It's pretty pathetic.
FTC isn't paid to settle everything with fines by Bob_Who · 2015-12-22 04:00 · Score: 1

The FTC's job is to protect the consumer, not be on the corporate kickback payroll.
FTC fines are a perverse incentive that creates predictable costs to the profitable bottom line of the bottom feeders in a corporate plutocracy.
Its like Oracle's performance in the America Cup: unethical, admonished, but ultimately victorious.
Harmless? by countach · 2015-12-22 04:01 · Score: 1

Aren't installations that aren't the primary one rather harmless? If the browser doesn't link to them and they aren't on your run path, then they are just harmless bits, no? If anything with evil intent on your system had the power to execute them, then it was already game over.
Seems reasonable by rsilvergun · 2015-12-22 04:23 · Score: 1

this looks more like a mistake than anything else. It's nice to see the FTC calling them on it (nobody else had) but punishing companies for a mistake before giving them the chance to correct it wouldn't exactly be fair.

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
now, about that deceptive licensing and charges... by swschrad · 2015-12-22 08:45 · Score: 1

"first, we need to determine precisely what the company is spending on these sailing days..."

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
can't even spell Ass right by swschrad · 2015-12-22 08:46 · Score: 1

bunch'a'losers

--
if this is supposed to be a new economy, how come they still want my old fashioned money?