Nuke Old Java, FTC Tells Oracle

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/nuke-old-java-ftc-tells-oracle-p-2014

You made this mess, now you'll clean it up.

That's the security <http://www.databreachtoday.com/cybersecurity-c-223>
message of the Federal Trade Commission's
<https://www.ftc.gov/news-events/press-releases/2015/12/oracle-agrees-settle-ftc-charges-it-deceived-consumers-about-java>
Dec. 21 settlement with technology
<http://www.databreachtoday.com/technology-c-177> giant Oracle. The agency
alleges that Oracle has been making "deceptive security claims about Java
SE" relating to how it has been updating - or not - older versions of the
run-time environment and browser plug-ins. Oracle acquired Java when it
bought Sun Microsystems in 2010.

"When a company's software is on hundreds of millions of computers, it is
vital that its statements are true and its security updates actually
provide security for the software," says Jessica Rich, director of the
FTC's Bureau of Consumer Protection. "The FTC's settlement requires Oracle
to give Java users the tools and information they need to protect their
computers."

Here's how Oracle sees the matter: "The FTC alleged that, in the past, when
you installed or updated Java SE, it didn't replace the version already on
your computer. Instead, each version installed side-by-side at the same
time. Later, after we changed this, installing or updating Java SE removed
only the most recent version already on your computer. What's more, in many
cases, it didn't remove any version released before October 2008."

That language comes via a security notice, including Java uninstallation
instructions, that Oracle has promised to distribute via its own Facebook
and Twitter accounts, according to the FTC's proposed consent order
<https://www.ftc.gov/system/files/documents/cases/151221oracleorder.pdf>,
which is now open for public comment for 30 days. Oracle has also promised
to contact numerous anti-virus vendors and request that they too issue the
security alert verbatim to their users.

The FTC's move is notable, because it's the first time the agency has
cracked down on a company for failing to eliminate vulnerable versions of
its software when users install a new update. In this case, the agency
alleges that whenever a Java update was available, Oracle's installation
screens stated that "Java provides safe and secure access to the world of
amazing Java content," and that after updating, the user's system would
have "the latest ... security improvements."

By failing to delete older versions of Java installed on the same system,
Oracle arguably left users at even greater risk, because they might have
reasonably expected to have expunged older, dangerous versions of Java when
installing the latest update.

"The security issues allowed hackers to craft malware that could allow
access to consumers' usernames and passwords for financial accounts, and
allow hackers to acquire other sensitive personal information through
phishing attacks," the FTC notes.

According to an internal Oracle memorandum cited by the FTC, the company
knew that it had a problem with the updating process, reporting that the
"Java update mechanism is not aggressive enough or simply not working." The
FTC alleges that Oracle failed to provide proper warnings or help to users.

The FTC's move has been lauded by some security researchers. "We're really
glad to learn that the U.S. regulatory body investigated Oracle and put the
company to order [over] its deceitful practices and claims regarding Java
SE security," veteran Java bug-hunter Adam Gowdiak
<http://www.databreachtoday.com/google-app-engine-flaws-described-a-8227>,
who heads Polish security and vulnerability research firm Security
Explorations, tells me. "We hope the FTC ruling will pave the way for
making software vendors liable for the quality and security of their
products some time in the future."
Why Attackers Love Java

Java has been frequently targeted by automated crimeware exploit toolkits.
<http://www.databreachtoday.com/flash-targeted-by-zero-day-exploit-a-7824>
That's because there are so many outdated versions of Java - sporting known
vulnerabilities - offering cybercriminals an easy and reliable way to
compromise numerous PCs. Recently published research from security vendor
Kaspersky Lab, for example, notes that in 2015, Java was targeted by online
attackers three times as frequently as Adobe Flash. Overall in 2015, 13
percent of all online attacks targeted Java, putting it in third place
after browsers (62 percent) and Android
<http://www.databreachtoday.com/updated-mobile-malware-targets-android-a-8764>
(14 percent).

A while back, I documented
<http://www.darkreading.com/vulnerabilities-and-threats/java-security-warnings-cut-through-the-confusion/d/d-id/1108258?>
the difficulty that users often faced when trying to determine how many
different instances of Java might be installed on their Windows or Mac OS X
device. The What Version of Java Are You Using?
<http://javatester.org/version.html> website, for example, offers nine
techniques to help users try and answer those questions.

The latest version of Java - version 8, first released in March 2014 -
finally included the ability to automatically install new Java updates from
Oracle, which is an essential defense for keeping the software patched,
especially after new zero-day attacks get discovered. In January, Oracle
also began automatically upgrading all Java 7 users to Java 8.
Flurry of FTC Enforcement Actions

The FTC's Oracle settlement follows the agency reaching a settlement
agreement with the hotel chain Wyndham over three security breaches in 2008
and 2009 that exposed information on 619,000 payment cards as well as
personally identifiable information (see *Wyndham Agrees to Settle FTC
Breach Case*
<http://www.databreachtoday.com/wyndham-agrees-to-settle-ftc-breach-case-a-8737>).
Likewise, despite a recent setback, the FTC has also promised to continue
to pursue its case against medical testing laboratory LabMD over claims
that the company suffered two data breaches that left consumers at risk of
identity theft (see *FTC to Appeal Ruling that Dismissed LabMD Case*
<http://www.databreachtoday.com/ftc-to-appeal-ruling-that-dismissed-labmd-case-a-8706>
).

The FTC lacks the legal authority
<https://www.ftc.gov/about-ftc/what-we-do/enforcement-authority> to fine
organizations outright if they break consumer protection laws. But the
agency is empowered to investigate alleged violations and file related
complaints, on which a court can then rule. Instead, many organizations
agree to a settlement - without confirming or denying the FTC's allegations
- that specifies that they will be fined if they break the settlement
terms, and which precludes them from challenging or contesting the
settlement terms.

Thus it's notable that last week, the FTC announced that identify theft
monitoring firm LifeLock
<http://www.databreachtoday.com/lifelock-settles-ftc-case-for-100-million-a-8760>
settled a repeat infraction for a staggering $100 million, relating to the
company's failure to establish and maintain an information security program
to protect its customers' personally identifiable information.

Oracle, too, now faces the prospect of a massive fine if it violates the
proposed FTC settlement agreement. Let's hope instead that the company
simply cleans up the Java mess it created.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!