Citibank CitiDirect Online Banking is (again) forcing usage of 
vulnerable version of Java Runtime Environment.


     Vulnerable product information

CitiDirect Online Banking [is a] Citibank's Web-based banking platform.


     Vulnerability description

CitiDirect requires Java Runtime Environment (JRE) installed on client's 
computer and Java plugin enabled in client's browser. But it requires a 
"supported version" of Java, a list of which often does not include 
latest version for weeks after release:
     Supported JRE Versionse
     https://citidirect-eb.citicorp.com/logon/SunVersionHelp.html
It is now over 2 weeks after release of Java 6 update 29, with 20 
security vulnerabilities (some critical) fixed:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
It is still "unsupported" though.

Users of unsupported version of JRE are denied access to online banking 
- "The version of Sun Java™ software currently installed on your 
computer does not meet the requirements to run CitiDirect® Online Banking".


     Impact of vulnerability

Users are forced to use in a browser a version of JRE plugin, that is 
vulnerable to publicly known vulnerabilities.

Also users are trained to ignore notifications from Java about new 
versions, as installing it denies them access to their money. It makes 
them vulnerable permanently. And Citidirect is happy to work with Java 
as old as 1.4.2, with thousands of known vulnerabilities and hundreds 
available exploits.


     Vendor response

I've contacted support for Citibank Poland. I've received information 
that Java 6u29 will be supported on November 21st - over a month after 
publication.

They told me that "Caring of reliability and security of their systems, 
which are key issues for their clients, Citi has heightened quality 
procedures, which mission is to ensure compatibility of new software 
version with their platform.".

Of course. The problem is they do not care of reliability and security 
of their client's systems, which have to rely on prompt updates for 
security.

"Although this procedure is time-consuming it it a widely accepted 
standard in this business: vendors pass on test versions first, which 
are then subjected to heightened quality process."

So they trade a very small risk of some hypothetic incompatibility, 
which can always be mitigated with just uninstalling a new version and 
installing an older one, for very high and real risk of getting hacked 
for their clients.


     Suggested actions for vendor

Citidirect should allow latest and future versions of Java to access the 
site. It can display a warning, that this version of Java is not yet 
fully tested.

It should also display a prominent warning if it detects a vulnerable 
version of Java in client's computer urging him to upgrade. This way it 
can at least try to repair damage it did already.


     Suggested actions for clients

Change a bank, as Citibank is blatantly ignorant about security. Then 
upgrade or uninstall Java as soon as possible. Or upgrade Java now and 
wait 3 more weeks without access to your money.


Regards
Tomasz "Tometzky" Ostrowski

PS. I've posted similar advisory on June 2010:
http://seclists.org/fulldisclosure/2010/Jul/113
2 days later updated Java was supported. And since then every version 
was supported even before it was officially published by Oracle until 
this one. I do not understand why it was possible then and it is not 
possible now.

-- 
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
                                                       Winnie the Pooh