Java Security Updates May Not Actually Be Secure

With Java SE reportedly installed on 850 million PCs, the “Java Update Available” popup has become a well known nuisance.  But keeping software up-to-date is supposed to help protect us.  According to the FTC, Java updates might be an exception to that rule.

The key issue is that Java updates have not always removed older versions of Java when installing the newer patch.  This leaves the vulnerable versions still accessible on your PC.  Oracle has just settled charges brought by the FTC for knowingly leaving user’s PCs vulnerable by offering to warn users of the insecurity of keeping older versions and providing tools to help remove old versions from affected PCs.

“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers.” —  FTC Press Release

To make matters worse, the FTC claims that Oracle has known about this issue for some time and have been intentionally deceiving customers.

In 2011, according to the FTC’s complaint, Oracle was aware of the insufficiency of its update process. Internal documents stated that the “Java update mechanism is not aggressive enough or simply not working,” and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers. —  FTC Press Release

If you want to make sure that you don’t have any stray versions of Java on your PC, you can use the Oracle Java Uninstall tool.  Or you can just uninstall all versions of Java, as it’s quickly following in Flash’s footsteps, becoming a remnant of the past that isn’t very useful anymore.