Security Bulletin: Steps you should take to fix a Java SE security risk on your computer

Welcome to a very unusual cybersecurity article! Why is it unusual? The title of this Security Bulletin and most of its content was provided by Oracle, the maker of the Java computer programming language. In fact, ESET is publishing this information on We Live Security at the request of Oracle. And Oracle made the request because it was ordered to do so by the US Federal Trade Commission (FTC).

That’s right the US government can require a US company (in this case Oracle) to distribute quite specific technical information to the public, if it is deemed necessary to the cybersecurity of consumers and the country. While ESET was under no legal obligation to comply with Oracle’s request, it was decided that doing so would help to improve cybersecurity for many consumers. You can learn more about how this all came about in a separate article here.

The point of the current article is to make sure that all consumers are aware of the need to delete older versions of Java SE from their computers. Why? Because “holes” in those old versions pose a serious risk to the security and privacy of information stored or accessed by them. In technical terms, those expired versions of Java SE contain vulnerabilities that provide criminals with a number of ways to sneak their malicious code onto your computer. If you are using a newer version of Java you might think that you are not exposed but, as the official statement from Oracle below explains, the installation of newer versions did not always delete the older versions. In other words, they could still be there, ready to be exploited by anyone who is prepared to use malware.

So, please read the following message and, if appropriate, follow the instructions that Oracle has provided for removing older versions of Java. Note that these are not ESET instructions, they come from Oracle. If you encounter any problems you should contact Oracle, which is committed to helping people remove old versions of Java SE. Also note that the uninstall tool referenced in Oracle’s message only works on Microsoft Windows (see the Notes below if you are using a Mac or Linux system).

Here is the text of the message that Oracle asked ESET to publish:

Steps you should take to fix a Java SE security risk on your computer

Dear Java SE customer:

We’re sending you this message because you may have downloaded, installed, or updated Java SE software on your computer. The Federal Trade Commission, the nation’s consumer protection agency, has sued us for making allegedly deceptive security claims about Java SE. To settle the lawsuit, we agreed to contact you with instructions on how to protect the personal information on your computer by deleting older versions of Java SE from your computer. Please take the suggested steps as soon as possible.

Here’s a summary of what the FTC lawsuit is about. The FTC alleged that, in the past, when you installed or updated Java SE, it didn’t replace the version already on your computer. Instead, each version installed side-by-side at the same time. Later, after we changed this, installing or updating Java SE removed only the most recent version already on your computer. What’s more, in many cases, it didn’t remove any version released before October 2008.

Why was that a problem? Earlier versions of Java SE have serious security risks we corrected in later versions. When people downloaded a new version, we said they could keep Java SE on their computer secure by updating to the latest version or by deleting older versions using the Add/Remove Program utility in their Windows system. But according to the FTC, that wasn’t sufficient. Updating to the latest version didn’t always remove older versions. So many computers had several versions installed.

That creates a serious security vulnerability. Even if you installed the most recent version of Java SE, the personal information on your computer may be at risk because earlier, less secure versions could still be executed.

To fix this problem, visit http://java.com/uninstall, where instructions on how to uninstall older versions of Java SE are provided. This webpage also provides a link to the Java SE uninstall tool, which you can use to uninstall older versions of Java SE. You may also go to
http://java.com/uninstallhelp if you have any additional questions or concerns.

To learn more about this lawsuit, call the FTC at 1-888-922-7836.

<End of Oracle Statement>

Notes:

1. Just to be clear, the above instruction are not from ESET. They come from Oracle, at the request of the FTC, and if you encounter any problems with them you should contact Oracle, which has provided a special page to request help with Java uninstallation.

2. If you are using a company computer or working in a corporate environment Oracle recommends that you check with your IT manager or IT services supplier before running the Oracle Java uninstall tool. It is possible that your organization uses an internally developed application that relies on an older version of Java.

3. The Oracle Java Uninstall Tool only works on Microsoft Windows, so Oracle has provided information for Mac OS X users here. The short version is that Apple disabled older versions of Java. For Linux users, instructions on uninstalling Java for Linux are here.

java-uninstall-news4. The latest version of the official Java SE package for US consumers can be found here. Do not download it from anywhere else.

5. The install process for the latest version of Java SE should automatically detect older Java versions as seen on the right. The default action is to uninstall them.

6. We found that Oracle’s Java Uninstall tool sometimes needed to be run twice to complete the removals. Also, some removals did not register until the browser (Firefox in our tests) was restarted.

7. Oracle has more information about why you should uninstall older versions of Java in an FAQ here.

Author Stephen Cobb, ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.