February 11, 2013

At a time when Apple, Mozilla and other tech giants are taking steps to prevent users from browsing the Web with outdated versions of Java, Yahoo! is pushing many of its users in the other direction: The free tool that it offers users to help build Web sites installs a dangerously insecure version of Java that is more than four years old.

sitebuilderYahoo! users who decide to build a Web site within the Internet firm’s hosting environment are steered toward using a free tool called SiteBuilder, which is designed to make building simple Web sites a point-and-click exercise. Yahoo! has offered SiteBuilder to its millions of users for years, but unfortunately the tool introduces a myriad of security vulnerabilities on host PCs.

SiteBuilder requires Java, but the version of Java that Yahoo!  bundles with it is Java 6 Update 7. It’s not clear if this is just a gross oversight or if their tool really doesn’t work with more recent versions of Java. The company has yet to respond to requests for comment.

But this version of Java was first introduced in the summer of 2008 and is woefully insecure and out-of-date. Oracle just released Java 6, Update 39, meaning that SiteBuilder installs a version of Java that includes hundreds of known, critical security vulnerabilities that can be used to remotely compromise host PCs.

There are two reasons why this is a big deal: Java is the biggest source of malware infections across an entire industry of exploit packs — crimeware toolkits that are stitched into hacked and malicious Web sites and designed to exploit known browser flaws. Also, Yahoo! is a major Internet company that ought to know better. Sadly, this Yahoo! offering is aimed at small businesses, who are least likely to understand the importance of updating apps like Java and who are most frequently the targets of extremely costly cyberheists.

This is the version of Java you'll have installed after installing Yahoo's SiteBuilder program.

Incredibly, this is the version of Java you’ll have after installing Yahoo’s SiteBuilder program.

One final note about SiteBuilder: Building your site with this tool may not only be hazardous to the security of your PC, it may also make it harder for your site to get the recognition it deserves. A bit of searching on this tool turned up some less than flattering results suggesting that sites built with SiteBuilder do not support an important type of Web site search optimization called “canonicalization.” I’ll leave it to Matt Cutts, a search guru and head of the anti-spam team at Google, to explain why this is such a fundamental pillar of search engine optimization (SEO).

Update, Feb. 13, 4:47 p.m. ET: Yahoo! finally got back to me, issuing the following spin-tastic statement: ““Yahoo! Web Hosting websites can be built and maintained using a variety of tools that give businesses the flexibility to develop sites according to their needs and technical comfort. We will continue to work on delivering the best experiences for our customers.” When asked what readers should take from the above statement, a spokesperson for the company said Yahoo! had tweaked SiteBuilder so that it is now bundled with Java 6 Update 39, and that it will be updated to Java 7 by the end of the month. Hopefully, it won’t be Java 7 Update 1.


31 thoughts on “Yahoo! Pushing Java Version Released in 2008

  1. Uzzi

    Thx Brian. Another piece of the disturbing Yahoo! puzzle… (beside ignoring a prevailing e-mail reject rate from bounce scans + spam rating of >50%, their unpleasant abuse pages and an unreachable abuse department) 🙁

    1. theodore

      I disagree. Their abuse reporting form, while requiring several different URLs to be whitelisted, is the simplest I’ve found to submit.

  2. Stratocaster

    Hey, it could be worse. The standard version of Java on our enterprise image for new PCs is Java 1.5.0.12 (!). (I update my work PC myself.) They claim they don’t have “permission” to use any flavor of Java 7. Which strikes me as odd since it’s FREE — and it even says on the Java Web site that end-users can download and use it at no charge.

    Ditto Uzzi on Yahoo! “customer service” for spam (or any other) issues: unreachable and unhelpful.

    1. DF

      I agree with you that it is ridiculous for them to be using such an outdated version, but my guess is there are applications that they either haven’t tested, or have tested and they didn’t work on the newer versions of Java. So the reason you don’t have “permission” to upgrade is because they think it might break something. Pretty lazy in my mind if that is the case, but unfortunately it is probably also a lot more common than it should be.

      1. CW

        Yeah, it’s just corporate speak for “we’re not sure what will break, if we deploy a more recent Java version, and we fired all of the people that could have fixed it. So we’re just going to continue running a really old, insecure version of Java until there is a massive security breach and the company is shuttered. K thanks.”

        Corporate America at its best.

    1. BrianKrebs Post author

      You might have to log in to a working Yahoo account to see what was in that screenshot. What’s there sans login looks different from what I saw at that link when logged in.

  3. PFM

    Thanks for your article. I created our Boy Scout website using SiteBuilder some years ago and ran into this issue after upgrading (and had to go through a manual clen-up). I can confirm that SiteBuilder works with newer versions of Java 6 but does not work with Java 7.

    1. CW

      Per a previous Java post that Brian made, this latest update of Java version 6 is the LAST one for version 6.x. Only version 7 will be updated going forward, so basically you’ll be insecure when the next exploit is found (if it already hasn’t been found.)

  4. EJ

    Yahoo! isn’t the only company guilty of this – there are many others. State Street Bank used to hold users of their products hostage by requiring older, unpatched versions of Java. Can’t say that’s still the case now, but check out what they link to in their requirements (https://my.statestreet.com/promo/SiteRequirements.htm) for My State Street access: a download of Java v1.4.2.

    Crazy.

    1. JimV

      Another of these 3rd-party vendors which pushes outdated Java versions is the UPS manufacturer APC/Schneider Electric, whose PowerChute Business Edition management software requires Java to function properly. PCBE v9.0.1 was not updated for a very long time (4+ years), and the bundled version of Java 6 which it installed became horribly out-of-date and insecure; as a workaround they provided a separate configuration tool to change its working JRE version to some other (presumably up-to-date and secure) one that was installed on the attached computer, then delete the old/insecure Java version at the user’s option.

      However, one couldn’t simply update Java and be done with it as the entire PCBE functionality would become broken and corrupted. So, whenever a new Java update was released a user was required to completely uninstall all the three PCBE components first, then uninstall and update Java, reinstall the PCBE components (with the old, original insecure bundled Java version), and finally use that configuration tool to switch to the new Java version and delete the old one — a PITA to say the least.

      The older model Smart-UPS (SU1400 NET) I have supports a desktop running Vista Ultimate and requires PCBE for automated shutdown management in the event of power outages extending beyond the battery reserve life. I kept Java up-to-date on that machine but uninstalled it completely from all the others in my office running XP SP3 or Vista Home Premium early last year when Oracle’s insufferable lag in providing updates for long periods when exploits were active became too irritating (and never bothered to install it on the newest running Win7 Pro x64). I finally became fed up with the hassle of that uninstall-reinstall patch cycle last Autumn and removed it from that machine as well, and chose to roll the dice on whether the relatively new replacement battery would hold long enough in an outage to allow me to reach it and initiate a graceful manual shutdown or live with the OS cleanup if not.

      APC released an updated version of PCBE (v9.1.0) in December which comes with a bundled version of Java 6u37 (released by Oracle in mid-October, and update 38 was released just a few days after this PCBE update). In order to test its functionality and decide whether to retain it or once again uninstall it and continue without now that Spring storm season is approaching, I’ve reinstalled the latest version of Java 7 and used the APC configuration tool to switch and remove the obsolete version of Java 6.

      Sorry for the long-winded explanation, but I hope it will help anyone with APC UPS equipment which requires PCBE and doesn’t already know about this particular security maintenance issue or the updated version of PCBE that was released recently.

      1. JimV

        I should have mentioned that there’s also a new version of the configurator tool which automatically deletes the old version of Java after it performs the switch without asking the user anything.

      2. CW

        Ah, thanks for the PCBE memories. I went through same of this same crap myself. It really shouldn’t be this hard….

    1. 67GTV

      “This comes at a time when Mozilla, Apple, and other organizations are taking steps to pervert users…”

      I was having a serious case of de ja vu while reading your blog post Ryan, (much of it is a re-wording of BK’s post), until I re-read this sentence. I don’t recall Brian claiming big software companies are actually perverting users. You may be on to something Ryan! 😉

    2. John

      You can get it to work with Java 6 Update 39 but as you describe it requires uninstalling, re-installing, and playing around with which program opens SiteBuilder. None of which are going to be easy for the average computer user who was most likely drawn to using SiteBuilder in the first place because of it’s simplicity. These same website owners are also in for a rude surprise when they attempt to move their site to another platform like WordPress.

  5. Old School

    Whenever Brian writes a story about a software “train wreck”, I take a few moments to read the reviews of the product. One sentence in the following review caught my attention:
    Source: http://www.softpedia.com/reviews/windows/Yahoo-SiteBuilder-Review-25342.shtml
    Quote: Go ahead and download this free software! You won’t regret it! End quote.
    In all fairness to the author, the time stamp on the article is June 1st, 2006, 11:10 GMT. IMHO, Softpedia should consider updating the review of SiteBuilder. I wonder how many people reading the review will notice its age.

  6. Harry

    I am not surprised at all. Their news coverage sucks also; very one-sided to the left, left, left!

  7. Rabid Howler Monkey

    Marissa, I sincerely hope you’re aware of the security issues at Yahoo! highlighted by Brian in his blogs. There are likely more waiting to be discovered. Security awareness is yet another cultural change that needs to be made at Yahoo!

    I, for one, am rooting for both you and Yahoo! as I don’t want my only choices to be Google and Microsoft.

    1. TooManySecrets

      They fired that stupid CISO, so the new CEO has done at least one thing right

    2. CW

      What is this post in reference to? Was part of this thread deleted?

  8. Alice Young

    Typically, applications that run their own pre-packaged JVM are not concerns for security, unless they are running a server and accepting connections from unknown locations (in which case you could have a buffer overflow, either by the JVM itself or the code it’s running). The same would be true of any application you download and run in your user’s security context, regardless of whether it was .net or compiled C or whatever. Please correct me if I’m wrong, but I don’t see any reason to be concerned about this software (which could be complete junk, I’ve never even heard of it).

  9. Richard Hassinger

    “SiteBuilder requires Java, but the version of Java that Yahoo! bundles with it is Java 6 Update 7.”

    This is not correct. I downloaded Sitebuilder, a 14mb exe, and installed it on a windows xp VM with no Java. The installer downloaded the latest JRE 1.6 update 39. It did, however, install the Java plugin in IE, without prompting. It appears to be more or less completely written in Java, including a very nice Swing GUI. However, if it HAD been “bundled” with its own JRE (even a very old one), then there would have not been any security concern. It would have just been like any other application that you install. The problem is that it installed the full JRE and made it the default runtime, along with the plugin, which is completely unnecessary.

    1. BrianKrebs Post author

      Richard, I verified my results with several other people. This has been the status quo for a long time.

      If you’re now seeing the latest (and final) version of Java 6 being installed alongside SiteBuilder, well…I think that’s just the bees knees. It’s likely that someone at Yahoo! finally fixed this glaring security hole.

      Anyway, glad to see Yahoo! has updated their processes here for the first time in…oh, let’s see…four years? Good stuff!

  10. Ananta

    Hi Brian,

    I recently installed Java 7 update 13. I have deleted most of the files, including the one on c://program files (x86). But there are two other files on c://program data that I can not delete. Plus, I tried to uninstall from programs and features as well, but every time I tried to uninstall it, it ask me to update every single time. I just wanted to remove the whole lot completely. Help…

    1. 67GTV

      Ananta, if CCleaner or Revo Uninstaller won’t work, you may want to try JavaRA. This helped cleanup my Java mess – required for our Symantec Endpoint Protection Manager.

      [quote]
      JavaRa is an effective way to deploy, update and remove the Java Runtime Environment (JRE). Its most significant feature is the JRE Removal tool; which forcibly deletes files, directories and registry keys associated with the JRE. This can assist in repairing or removing Java when other methods fail.
      [end quote]

      http://singularlabs.com/software/javara/

  11. Bri

    Thank you so much for making this huge Yahoo ‘drop off’ public and in the open domain – I was dependent on Yahoo sitebuilder, it stopped working after I updated Java six months or more ago.

    I am a long time Security now listener, so knew that updates were more important than keeping Sitebuilder running, but finally capitulated and rolled back my Java to make this program work.

    Thanks – great interview on Security Now with you this week – many thanks!

Comments are closed.