Wednesday, July 7, 2010

Citibank: Forcing Users To Use A Vulnerable Java For Browsers

Citibank CitiDirect users please be advised that the company is forcing the usage of a vulnerable version of Java Runtime that is embedded in internet browsers.

To view this vulnerability and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)
CitiDirect-SA-07/07/2010: Citibank CitiDirect - forced usage of vulnerable version of Java Runtime Environment
CitiDirect requires Java Runtime Environment (JRE) installed on client's
computer and Java plugin enabled in client's browser. But it requires a
"supported version" of Java, a list of which often does not include
latest version for months after release:
Users of unsupported version of JRE are denied access to online banking
- "The version of Sun Java™ software currently installed on your
computer does not meet the requirements to run CitiDirect® Online Banking".
Impact of vulnerability

Users are forced to use in a browser a version of JRE plugin, that is
vulnerable to publicly known vulnerabilities, with publicly available
exploits.

Also users are trained to ignore notifications from Java about new
versions, as installing it denies them access to their money. It makes
them vulnerable permanently.
 blog it

No comments:

Post a Comment