Java users, in the millions will be warned that they may be exposed to malware due to a pre-existing flaw in the software’s update tool.
Oracle, the distributor of the Java plug-in that helps personal computers run small programs has now agreed to issue an alert to millions of users after the conclusion of an investigation by the Federal Trade Commission (FTC), according to the BBC. With the agreement, the software giant will not risk a fine, despite the company denying any wrongdoing.
The FTC complaint read:
The security issues allowed hackers to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive information.
The complaint alleged that Oracle was entirely aware of the security issues plaguing the Java Standard Edition (SE) plug-in, when it acquired the plug-in’s developer Sun Microsystems in 2010.
The complaint also alleged that Oracle had delivered false promises to its customers after insisting that updates to the software would ensure that their computers would be “safe and secure.”
The FTC notes that the firm did not acknowledge any risks with the pitch surrounding its software.
The Fundamental Flaw
The flaw exists due to the original developer Sun Microsystem’s update process, wherein the update did not delete earlier versions of the existing software. This leaves hackers to carry out exploits since the embedded code of the previous versions of the software still exists.
While Oracle tried to fix this concern, its update tool only removed the most recent version of Java. This meant that previous versions of the software, still existed in the code. Oracle finally fixed the problem in August 2014.
Java SE is a tremendously popular software among personal computers, with estimates up to 850 million installs.
While Java is still used to run certain web-based games, chat tools and more, one security researcher sees this incident as a reason to see Java die a slow death similar to Flash.
Rik Ferguson, vice president of security research at Trend Micro stated:
Java is one of the top three applications that criminals target. It comes pre-installed on a lot of machines, so a lot of people don’t know they are using it.
There are times in some businesses where they may be internal applications that require Java in the web browser, so you won’t have much option, but our recommendation for others is to remove it and stop using it.