Citibank CitiDirect Online Banking is forcing usage of vulnerable version of Java Runtime Environment. Vulnerable product information CitiDirect Online Banking [is a] Citibank's Web-based banking platform. CitiDirect puts all your corporate banking functions in one security-protected place, giving you around the globe, centralized access to your account information in real time right from your desktop. CitiDirect® is available in more than 90 countries and in 21 languages. It has more than 150,000 users within 25,000 corporate clients. [in 2004, now probably many more] Vulnerability description CitiDirect requires Java Runtime Environment (JRE) installed on client's computer and Java plugin enabled in client's browser. But it requires a "supported version" of Java, a list of which often does not include latest version for months after release: Supported JRE Versionse https://citidirect-eb.citicorp.com/logon/SunVersionHelp.html It is now over _3_ _months_ after release of Java 6 update 19, with 27 security vulnerabilities fixed: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html It is still "unsupported" though. And there's now update 20 released, which closes another vulnerability currently exploited in the wild. Users of unsupported version of JRE are denied access to online banking - "The version of Sun Java™ software currently installed on your computer does not meet the requirements to run CitiDirect® Online Banking". Impact of vulnerability Users are forced to use in a browser a version of JRE plugin, that is vulnerable to publicly known vulnerabilities, with publicly available exploits. Also users are trained to ignore notifications from Java about new versions, as installing it denies them access to their money. It makes them vulnerable permanently. Vendor response I've tried to contact Citibank at least from August 2007. I wasn't able to find a security contact anywhere on a citigroup.com pages. I've tried to contact by a web form https://www.citibank.com/domain/contact/visitor_email/form.htm but haven't received a response. So I have contacted phone support for Poland. Their responses were "entertaining", like: - we use 256 bit encryption so we are very secure; - you can use a vulnerable Java, because we will not try to break to your computer; - nobody will be able to write an exploit targeting a bank in a few weeks before a new version of Java is tested and marked supported. Suggested actions for vendor Vendor should allow latest and future versions of Java to access the site. It can display a warning, that this version of Java is not fully tested for at most a week after a new Java release. Vendor should also display a prominent warning if it detects a vulnerable version of Java in client's computer urging him to upgrade. This way it can at least try to repair damage it did already. Suggested actions for clients Change a bank, as Citibank is blatantly ignorant about security. Then upgrade or uninstall Java as soon as possible. Suggested actions for others Do not try to compromise Citibank's clients or employees computers - it's not their fault that they have to use insecure Java. Pretty please. Regards Tomasz "Tometzky" Ostrowski -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/