Yahoo! Pushing Java Version Released in 2008

At a time when Apple, Mozilla and other tech giants are taking steps to prevent users from browsing the Web with outdated versions of Java, Yahoo! is pushing many of its users in the other direction: The free tool that it offers users to help build Web sites installs a dangerously insecure version of Java that is more than four years old.

sitebuilderYahoo! users who decide to build a Web site within the Internet firm’s hosting environment are steered toward using a free tool called SiteBuilder, which is designed to make building simple Web sites a point-and-click exercise. Yahoo! has offered SiteBuilder to its millions of users for years, but unfortunately the tool introduces a myriad of security vulnerabilities on host PCs.

SiteBuilder requires Java, but the version of Java that Yahoo!  bundles with it is Java 6 Update 7. It’s not clear if this is just a gross oversight or if their tool really doesn’t work with more recent versions of Java. The company has yet to respond to requests for comment.

But this version of Java was first introduced in the summer of 2008 and is woefully insecure and out-of-date. Oracle just released Java 6, Update 39, meaning that SiteBuilder installs a version of Java that includes hundreds of known, critical security vulnerabilities that can be used to remotely compromise host PCs.

There are two reasons why this is a big deal: Java is the biggest source of malware infections across an entire industry of exploit packs — crimeware toolkits that are stitched into hacked and malicious Web sites and designed to exploit known browser flaws. Also, Yahoo! is a major Internet company that ought to know better. Sadly, this Yahoo! offering is aimed at small businesses, who are least likely to understand the importance of updating apps like Java and who are most frequently the targets of extremely costly cyberheists.

This is the version of Java you'll have installed after installing Yahoo's SiteBuilder program.

Incredibly, this is the version of Java you’ll have after installing Yahoo’s SiteBuilder program.

One final note about SiteBuilder: Building your site with this tool may not only be hazardous to the security of your PC, it may also make it harder for your site to get the recognition it deserves. A bit of searching on this tool turned up some less than flattering results suggesting that sites built with SiteBuilder do not support an important type of Web site search optimization called “canonicalization.” I’ll leave it to Matt Cutts, a search guru and head of the anti-spam team at Google, to explain why this is such a fundamental pillar of search engine optimization (SEO).

via Krebs on Security http://krebsonsecurity.com/2013/02/yahoo-pushing-java-version-released-in-2008/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: