Feds require consumer warnings about older Java software


San Francisco (AP) – PC users will see more warnings about the dangers of keeping outdated software on their machines, under a legal settlement negotiated by tech giant Oracle and regulators at the Federal Trade Commission.

The FTC says Oracle Corp. deceived consumers for several years by promising that updating their Java software would keep them safe from malware and hacking attacks. Until last year, the FTC says, the update tool provided by Oracle did not remove some older versions of Java, which meant PCs were still vulnerable.

Many consumers aren’t aware they use Java, which comes pre-installed on many PCs and helps with the operation of many web-based functions, including online calculators, games, chatrooms and even viewing 3D images. The FTC estimates Java can be found on more than 850 million PCs.

Oracle was aware since 2010 that older versions of Java had security flaws that left their users vulnerable to malicious attacks, according to the FTC. But earlier update procedures installed a new version of the program without removing the older ones. Oracle later changed its Java update tool to make it remove the most recent version, the FTC says. But until August 2014, the tool still left some older versions untouched.

The FTC says Oracle revised its Java update tool again last year, to help users remove all earlier versions. Even so, some PC users may still have older versions on their machines.

In a statement announcing the settlement, the FTC said Oracle’s internal documents show that it knew that its earlier procedures left some PCs vulnerable to hacking, despite its assurances to PC users. An Oracle spokeswoman declined comment Monday.

Without admitting any wrongdoing, Oracle settled an FTC complaint by promising that current and future Java updates will automatically search for all older versions of the software. If an older version is found, the update tool will notify PC users of the security risk and provide a way for removing it. Oracle also promised to publicize the danger of leaving older versions of Java on PCs, by posting notices on social media and sending bulletins to leading distributors of security software.

PC users can remove old versions of Java by updating to the current version, Java 8, or by using the tool at java.com/uninstall.