[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4EB17806.7020901@gmail.com>
Date: Wed, 02 Nov 2011 18:04:06 +0100
From: Tomasz Ostrowski <tometzky@...il.com>
To: Full-Disclosure@...ts.grok.org.uk
Subject: Citibank CitiDirect - forced usage of vulnerable
version of Java Runtime Environment
Citibank CitiDirect Online Banking is (again) forcing usage of
vulnerable version of Java Runtime Environment.
Vulnerable product information
CitiDirect Online Banking [is a] Citibank's Web-based banking platform.
Vulnerability description
CitiDirect requires Java Runtime Environment (JRE) installed on client's
computer and Java plugin enabled in client's browser. But it requires a
"supported version" of Java, a list of which often does not include
latest version for weeks after release:
Supported JRE Versionse
https://citidirect-eb.citicorp.com/logon/SunVersionHelp.html
It is now over 2 weeks after release of Java 6 update 29, with 20
security vulnerabilities (some critical) fixed:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
It is still "unsupported" though.
Users of unsupported version of JRE are denied access to online banking
- "The version of Sun Javaâ„¢ software currently installed on your
computer does not meet the requirements to run CitiDirect® Online Banking".
Impact of vulnerability
Users are forced to use in a browser a version of JRE plugin, that is
vulnerable to publicly known vulnerabilities.
Also users are trained to ignore notifications from Java about new
versions, as installing it denies them access to their money. It makes
them vulnerable permanently. And Citidirect is happy to work with Java
as old as 1.4.2, with thousands of known vulnerabilities and hundreds
available exploits.
Vendor response
I've contacted support for Citibank Poland. I've received information
that Java 6u29 will be supported on November 21st - over a month after
publication.
They told me that "Caring of reliability and security of their systems,
which are key issues for their clients, Citi has heightened quality
procedures, which mission is to ensure compatibility of new software
version with their platform.".
Of course. The problem is they do not care of reliability and security
of their client's systems, which have to rely on prompt updates for
security.
"Although this procedure is time-consuming it it a widely accepted
standard in this business: vendors pass on test versions first, which
are then subjected to heightened quality process."
So they trade a very small risk of some hypothetic incompatibility,
which can always be mitigated with just uninstalling a new version and
installing an older one, for very high and real risk of getting hacked
for their clients.
Suggested actions for vendor
Citidirect should allow latest and future versions of Java to access the
site. It can display a warning, that this version of Java is not yet
fully tested.
It should also display a prominent warning if it detects a vulnerable
version of Java in client's computer urging him to upgrade. This way it
can at least try to repair damage it did already.
Suggested actions for clients
Change a bank, as Citibank is blatantly ignorant about security. Then
upgrade or uninstall Java as soon as possible. Or upgrade Java now and
wait 3 more weeks without access to your money.
Regards
Tomasz "Tometzky" Ostrowski
PS. I've posted similar advisory on June 2010:
http://seclists.org/fulldisclosure/2010/Jul/113
2 days later updated Java was supported. And since then every version
was supported even before it was officially published by Oracle until
this one. I do not understand why it was possible then and it is not
possible now.
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists