Oracle's website, social media to wear sandwich board of shame over Java SE insecurity

The US Federal Trade Commission (FTC) has signed off a settlement with Oracle over its handling of Java SE updates.

The regulator said all four commissioners voted to approve the deal, which requires Oracle to alert everyone visiting its website and social media profiles to the fact that it left old and vulnerable editions of Java SE on computers – leaving people at the mercy of hackers when they thought they were patched up.

Oracle must explain on its website for the next two years how the Java SE installation process works, and show people how to remove the leftover insecure builds of the software.

The vote finalizes a set of rules first put forward in December, when the FTC announced that it had struck the deal with Oracle to settle a complaint over how Java SE updates were handled. The FTC had charged that Oracle failed to adequately notify users when older versions of Java SE were left on their systems. This, in turn, left users vulnerable to security flaws in the older software, the FTC charged.

With the settlement [PDF] now approved, the FTC's complaint will officially be resolved and the clock will start on a 20-year term (expiring January 28, 2036) during which time Oracle will be required to adhere to the conditions for notifying users.

Of course, if one ambitious (or possibly delusional) developer gets his wish, simply using Java will be illegal in the US. In a White House Petition, the filer known only as "M.J." of Mountain View, California, asks President Obama to make Java, Ruby and JavaScript "illegal" to use in the US and its territories.

"We have an expanding array of options in the tool kit of any software developer," the petition reads. "Some of these tools represent a grave risk to the reliability and safety of our nation's critical infrastructure."

It seems, however, that barring a major rally by the developer community, the petition will fall well short. With a deadline of April 15, it currently has just 61 of the 100,000 signatures needed to advance. ®