Oracle settles FTC charges that left its customers open to hacking

Oracle Corp has settled allegations by the Federal Trade Commission that it failed to notify customers about unaddressed hacking dangers when it released security updates for the estimated 850 million U.S. computers with Java SE software, the agency said. The FTC alleged that Oracle promised consumers that its updates would make the software “safe and secure.” In fact, the agency said, the updates removed some of the problematic software but left behind older versions of Java which were vulnerable to being hacked. Oracle, which acquired Java in 2010 when it bought Sun Microsystems, Inc, declined comment on the settlement. Under the terms of the settlement, Oracle is required to notify customers on Twitter or Facebook on how to remove the older software and to assist those who are updating their Java software remove older versions. The key violation here was actually remedied in 2014, Al Hilwa, a program director with IDC tells CIO.com. But “this is a settlement after the fact, and the issue relates to the period when Oracle’s software did not remove prior versions of Java,” said Hilwa. He adds in the report that the settlement sets a precedent for software vendors. Meanwhile, there’s considerable awareness throughout the industry that the majority of security issues are related to older versions of software. “In a sense, we have shifted in the industry to a view where software is organic and is constantly updated throughout its deployment lifecycle,” he told CIO.com. With inputs from Reuters