甲骨文就Java安全漏洞與FTC達成和解

Oracle has suffered another black eye over security flaws in its widely used Java software, as the US tech company on Monday settled a regulatory charge that it had deceived computer users about the safety of the software.

甲骨文(Oracle)因旗下使用者衆多的Java軟件存在的安全漏洞而再次受挫。週一，這家美國科技企業與監管機構就後者提出的一項指控達成和解。這項指控稱，甲骨文在Java軟件的安全性問題上欺騙了電腦用戶。

Java was singled out by Larry Ellison, the company’s chairman, as the key asset in his 2010 purchase of server maker Sun Microsystems. The software, which makes possible many features of web browsing, has since become an important weapon in Oracle’s arsenal against other tech companies. It prompted a partially successful lawsuit against Google’s Android mobile operating system that critics warn could have far-reaching effects in the tech world.

2010年，在收購服務器製造商太陽微系統(Sun Microsystems)時，甲骨文董事長拉里埃利森(Larry Ellison)曾把Java擇出來作爲一項關鍵資產。自那以來，這一支撐衆多網頁瀏覽功能的軟件已成爲甲骨文對抗其他科技企業的重要武器之一。甲骨文據此發起了針對谷歌(Google) Android移動操作系統的法律訴訟，並在一定程度上打贏了這場官司。批評人士警告稱，這場官司或對科技界產生深遠影響。

But security weaknesses in Java, dating from long before Oracle’s acquisition, have also made the software a problem for the company. In the worst incident, a number of leading tech companies, including Apple and Facebook, revealed in 2013 that attackers had used flaws in the software to penetrate their systems.

不過，Java存在的安全漏洞也令該軟件成爲甲骨文的一大麻煩。這些安全漏洞可追溯至甲骨文收購太陽微系統之前很久。2013年，包括蘋果(Apple)和Facebook在內的多家頂尖科技企業披露，攻擊者利用Java存在的漏洞攻破了它們的系統，這是Java安全漏洞導致的最嚴重的事件。

On Monday, the Federal Trade Commission accused Oracle of deceiving consumers over the degree to which updating the Java software to newer, safer versions protects their computers from attack. The complaint relates to the Java Standard Edition, which is installed on more than 850m PCs, the regulator said.

週一，美國聯邦貿易委員會（Federal Trade Commission，簡稱FTC）指控甲骨文未如實告訴用戶將Java軟件升級至更新、更安全版本能在多大程度上保護用戶電腦免受攻擊。該監管機構表示，這一指控涉及的是Java標準版(Java Standard Edition)，它安裝在逾8.5億臺個人電腦上。

According to the complaint, Oracle did not warn computer users that updating Java does not automatically remove older — and less secure — versions of the software, with only the most recent version being deleted. That left millions of users exposed to attacks, including having the usernames and passwords of their financial accounts stolen, the regulator said.

該指控稱，甲骨文未警告電腦用戶升級Java並不自動移除更老（從而安全性更差）版本的Java，移除的只是最近版本的Java。該監管機構表示，這導致數百萬用戶暴露在攻擊之下，他們財務賬號的用戶名和密碼可能會遭到竊取。

The problem continued even though Oracle “was aware of the insufficiency of its update process” in 2011, the FTC said.

FTC表示，儘管甲骨文在2011年“已知曉其升級流程存在的不足”，但這個問題依然存在。

“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” Jessica Rich, director of the FTC’s consumer protection bureau, said.

FTC消費者保護局局長傑茜卡里奇(Jessica Rich)表示：“當一家公司的軟件安裝在數億臺電腦上時，非常重要的一點是，該公司的聲明要真實、其安全更新要爲該軟件提供切實的安全保障。”

Under a consent agreement announced on Monday, Oracle has been ordered to notify consumers who are updating Java if they have older versions of the software on their machines and give them option to uninstall it.

按照週一公佈的一份協議，甲骨文被要求提醒正在升級Java的用戶他們電腦上是否裝有更老版本的Java，並向他們提供卸載該版本的選項。

Oracle declined to comment on the charge.

甲骨文拒絕就該指控置評。