Citibank: Forcing Users To Use A Vulnerable Java For Browsers

Citibank CitiDirect users please be advised that the company is forcing the usage of a vulnerable version of Java Runtime that is embedded in internet browsers.

To view this vulnerability and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

clipped from www.criticalwatch.com CitiDirect-SA-07/07/2010: Citibank CitiDirect - forced usage of vulnerable version of Java Runtime Environment CitiDirect requires Java Runtime Environment (JRE) installed on client's computer and Java plugin enabled in client's browser. But it requires a "supported version" of Java, a list of which often does not include latest version for months after release: Users of unsupported version of JRE are denied access to online banking - "The version of Sun Java™ software currently installed on your computer does not meet the requirements to run CitiDirect® Online Banking". Impact of vulnerability Users are forced to use in a browser a version of JRE plugin, that is vulnerable to publicly known vulnerabilities, with publicly available exploits. Also users are trained to ignore notifications from Java about new versions, as installing it denies them access to their money. It makes them vulnerable permanently.