[Full-disclosure] Citibank CitiDirect - forced usage of vulnerable version of Java Runtime Environment

Citibank CitiDirect Online Banking is forcing usage of vulnerable
version of Java Runtime Environment.

Vulnerable product information

CitiDirect Online Banking [is a] Citibank's Web-based banking platform.
CitiDirect puts all your corporate banking functions in one
security-protected place, giving you around the globe, centralized
access to your account information in real time right from your desktop.

CitiDirect® is available in more than 90 countries and in 21 languages.
It has more than 150,000 users within 25,000 corporate clients. [in
2004, now probably many more]

Vulnerability description

CitiDirect requires Java Runtime Environment (JRE) installed on client's
computer and Java plugin enabled in client's browser. But it requires a
"supported version" of Java, a list of which often does not include
latest version for months after release:
Supported JRE Versionse
It is now over _3_ _months_ after release of Java 6 update 19, with 27
security vulnerabilities fixed:
It is still "unsupported" though. And there's now update 20 released,
which closes another vulnerability currently exploited in the wild.

Users of unsupported version of JRE are denied access to online banking
- "The version of Sun Java™ software currently installed on your
computer does not meet the requirements to run CitiDirect® Online Banking".

Impact of vulnerability

Users are forced to use in a browser a version of JRE plugin, that is
vulnerable to publicly known vulnerabilities, with publicly available

Also users are trained to ignore notifications from Java about new
versions, as installing it denies them access to their money. It makes
them vulnerable permanently.

Vendor response

I've tried to contact Citibank at least from August 2007.

I wasn't able to find a security contact anywhere on a citigroup.com
pages. I've tried to contact by a web form
https://www.citibank.com/domain/contact/visitor_email/form.htm but
haven't received a response.

So I have contacted phone support for Poland. Their responses were
"entertaining", like:
- we use 256 bit encryption so we are very secure;
- you can use a vulnerable Java, because we will not try to break to
your computer;
- nobody will be able to write an exploit targeting a bank in a few
weeks before a new version of Java is tested and marked supported.

Suggested actions for vendor

Vendor should allow latest and future versions of Java to access the
site. It can display a warning, that this version of Java is not fully
tested for at most a week after a new Java release.

Vendor should also display a prominent warning if it detects a
vulnerable version of Java in client's computer urging him to upgrade.
This way it can at least try to repair damage it did already.

Suggested actions for clients

Change a bank, as Citibank is blatantly ignorant about security. Then
upgrade or uninstall Java as soon as possible.

Suggested actions for others

Do not try to compromise Citibank's clients or employees computers -
it's not their fault that they have to use insecure Java. Pretty please.

Tomasz "Tometzky" Ostrowski
...although Eating Honey was a very good thing to do, there was a moment
just before you began to eat it which was better than when you were...
Winnie the Pooh

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/