Tuesday, December 22, 2015

Oracle settles with FTC over deceptive patching practices

Ever felt like Oracle may not have had your best interests in mind with Java?  Turns out you aren't the only one.  The FTC alleged that Oracle engaged in deceptive business practices by offering patching programs that installed new versions of Java, but failed to remove old versions.  Of course this left millions of machines vulnerable to attack even though consumers thought they were doing the right thing.  The FTC also alleges that Oracle knew this was a problem and did nothing.


Yesterday, the FTC reached a proposed settlement with Oracle.  But depending on who you ask, this doesn't go nearly far enough.  
Under the terms of the proposed consent order, Oracle will be required to notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it. In addition, the company will be required to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software.
But how many consumers will truly understand what is being asked of them?  Do you really want to uninstall earlier versions?  In the SOHO market, uninstalling old versions may break software that consumers depend on, so it will be interesting to see how instructions to consumers are worded.  

One thing is for sure though: with Oracle put on notice by the FTC, we can expect other software vendors to take a careful look at their software patching policies.  Failure to do so will clearly invoke ire from the FTC.

1 comment:

  1. For once, good for the FTC. Never mind the SOHO market, I can name plenty of examples in the corporate/enterprise area where applications depend on old/outdated/buggy versions of Java. Fixing Java's security holes will have a ripple effect across vendors who embed Java apps in their products. It's about time!

    ReplyDelete

Note: Only a member of this blog may post a comment.