exploit the possibilities

Citibank CitiDirect Online Banking Forced Use Of Vulnerable JRE

Citibank CitiDirect Online Banking Forced Use Of Vulnerable JRE
Posted Nov 2, 2011
Authored by Tomasz Tometzky Ostrowski

Citibank CitiDirect Online Banking software is forcing the use of a vulnerable version of the Java Runtime Environment, again.

tags | advisory, java
MD5 | 60dd3c56bdcdf8772bf869acb49f7db4

Citibank CitiDirect Online Banking Forced Use Of Vulnerable JRE

Change Mirror Download
Citibank CitiDirect Online Banking is (again) forcing usage of 
vulnerable version of Java Runtime Environment.


Vulnerable product information

CitiDirect Online Banking [is a] Citibank's Web-based banking platform.


Vulnerability description

CitiDirect requires Java Runtime Environment (JRE) installed on client's
computer and Java plugin enabled in client's browser. But it requires a
"supported version" of Java, a list of which often does not include
latest version for weeks after release:
Supported JRE Versionse
https://citidirect-eb.citicorp.com/logon/SunVersionHelp.html
It is now over 2 weeks after release of Java 6 update 29, with 20
security vulnerabilities (some critical) fixed:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
It is still "unsupported" though.

Users of unsupported version of JRE are denied access to online banking
- "The version of Sun Java™ software currently installed on your
computer does not meet the requirements to run CitiDirect® Online Banking".


Impact of vulnerability

Users are forced to use in a browser a version of JRE plugin, that is
vulnerable to publicly known vulnerabilities.

Also users are trained to ignore notifications from Java about new
versions, as installing it denies them access to their money. It makes
them vulnerable permanently. And Citidirect is happy to work with Java
as old as 1.4.2, with thousands of known vulnerabilities and hundreds
available exploits.


Vendor response

I've contacted support for Citibank Poland. I've received information
that Java 6u29 will be supported on November 21st - over a month after
publication.

They told me that "Caring of reliability and security of their systems,
which are key issues for their clients, Citi has heightened quality
procedures, which mission is to ensure compatibility of new software
version with their platform.".

Of course. The problem is they do not care of reliability and security
of their client's systems, which have to rely on prompt updates for
security.

"Although this procedure is time-consuming it it a widely accepted
standard in this business: vendors pass on test versions first, which
are then subjected to heightened quality process."

So they trade a very small risk of some hypothetic incompatibility,
which can always be mitigated with just uninstalling a new version and
installing an older one, for very high and real risk of getting hacked
for their clients.


Suggested actions for vendor

Citidirect should allow latest and future versions of Java to access the
site. It can display a warning, that this version of Java is not yet
fully tested.

It should also display a prominent warning if it detects a vulnerable
version of Java in client's computer urging him to upgrade. This way it
can at least try to repair damage it did already.


Suggested actions for clients

Change a bank, as Citibank is blatantly ignorant about security. Then
upgrade or uninstall Java as soon as possible. Or upgrade Java now and
wait 3 more weeks without access to your money.


Regards
Tomasz "Tometzky" Ostrowski

PS. I've posted similar advisory on June 2010:
http://seclists.org/fulldisclosure/2010/Jul/113
2 days later updated Java was supported. And since then every version
was supported even before it was officially published by Oracle until
this one. I do not understand why it was possible then and it is not
possible now.

--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close