At a time when Apple, Mozilla and other tech giants are taking steps to prevent users from browsing the Web with outdated versions of Java, Yahoo! is pushing many of its users in the other direction: The free tool that it offers users to help build Web sites installs a dangerously insecure version of Java that is more than four years old.
Yahoo! users who decide to build a Web site within the Internet firm’s hosting environment are steered toward using a free tool called SiteBuilder, which is designed to make building simple Web sites a point-and-click exercise. Yahoo! has offered SiteBuilder to its millions of users for years, but unfortunately the tool introduces a myriad of security vulnerabilities on host PCs.
SiteBuilder requires Java, but the version of Java that Yahoo! bundles with it is Java 6 Update 7. It’s not clear if this is just a gross oversight or if their tool really doesn’t work with more recent versions of Java. The company has yet to respond to requests for comment.
But this version of Java was first introduced in the summer of 2008 and is woefully insecure and out-of-date. Oracle just released Java 6, Update 39, meaning that SiteBuilder installs a version of Java that includes hundreds of known, critical security vulnerabilities that can be used to remotely compromise host PCs.