Oracle's Settlement With FTC Over Java Could Start Bigger Conversation About Vulnerability Disclosure

Oracle has settled complaints with the Federal Trade Commission over security issues with its Java Platform, a move security experts said should herald more full-disclosure initiatives from software companies about vulnerabilities and patching.

The FTC complaint said Oracle’s Java Platform, Standard Edition software (Java SE) deceived customers about how secure it was, leaving some older, vulnerability-filled versions of the software on systems while updating customers to the newest versions. The FTC said Oracle specifically did not uninstall versions before Java SE version 6 update 10.

The FTC complaint said Oracle was aware of these "significant security issues," but deceived customers by promising that updates ensured the system would be "safe and secure." The FTC said it found a large number of hacking incidents that exploited vulnerabilities in the older Java SE software, including allowing them to access consumer user names, passwords and other sensitive information.

[Related: Oracle CSO Scolds Customers For Scanning Software For Security Bugs]

Sponsored post

"When a company's software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software," Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a statement. "The FTC's settlement requires Oracle to give Java users the tools and information they need to protect their computers."

Java SE is installed on an estimated 850 million personal computers, the announcement said. Oracle, Redwood Shores, Calif., declined requests for comment from CRN on what the settlement means for partners.

As part of the settlement, Oracle is required to broadly notify customers of the security flaws and settlement, including across its social media posts and websites and during the update process. Oracle must also notify customers of the risks of having older versions of the software and give them the option to uninstall it, the announcement said.

The settlement also says that Oracle is prohibited from making "further deceptive statements to consumers about the privacy or security of its software and the ability to uninstall older versions of any software Oracle provides."

Doug Cahill, senior analyst, cybersecurity at Milford, Mass.-based Enterprise Strategy Group, said the incident raises broader questions about how software vendors handle their vulnerability disclosures.

"I think the bigger picture is that Oracle, as the publisher of a run-time engine that is so broadly deployed, has an obligation in the context of cybersecurity … to disclose and educate their customers in all aspects of the vulnerability and patch the vulnerability," Cahill said. "Instead of taking shots at Oracle, this is learning inflection point around full disclosure of patches."

Despite the wide-reaching implications of this security settlement, Cahill said he doesn’t expect to see any long-term effects to Oracle's security reputation. He said security was "front and center" at the recent Oracle OpenWorld event.

"I think anybody in the industry that has any concern about Oracle brand as a result of this FTC ruling should also take note that at Oracle World, security was really front and center. It was part of the narrative," Cahill said.

Going into 2016, Cahill said, cybersecurity needs to be more of a "team sport" from software vendors. He said developers and vendors need to work together to collaborate on threat intelligence and patch vulnerabilities as efficiently as possible.

He said he believes this latest settlement with Oracle will prompt more Java-based software developers to support the latest version of the software to avoid built-in vulnerabilities.

"The really big picture is that security is a team sport. We have adversaries collaborating together on what are the most effective attack vectors, and it needs to be a team sport on the white hat side as well," Cahill said.