Yahoo 5 Years Behind on Java Security
Keeping software up-to-date is one of the easiest and most effective ways to prevent computer infections from wreaking havoc on your system.
But for some reason, Yahoo is telling its small-business customers to use a version of Java that, by Internet standards, is pretty ancient.
Yahoo's misstep affects those who use SiteBuilder, a free tool for creating Web pages in Yahoo's hosting environment, reported independent security blogger Brian Krebs.
SiteBuilder requires the use of the Java software platform. But instead of serving up the latest, most secure version, users are asked to use Java 6 Update 7, which hasn't been current since 2008.
Yahoo's own page promoting SiteBuilder copyrights all material in 2007, and the SiteBuilder download page recommends Windows XP as the optimal operating system. (SiteBuilder will also run on Windows 2000.)
Whether Java 6.7 actually is required to run SiteBuilder is still unclear. A commenter on Krebs' site said SiteBuilder would work with newer versions of Java 6, but not with Java 7, introduced in mid-2011.
We tried installing SiteBuilder, but were advised that "Yahoo! SiteBuilder requires a different version of the Java Runtime Environment than the one found on your computer."
What is certain is that users operating older versions of Java are at risk to hundreds of exploits that could lead to computer damage, data theft, identity theft and even stolen funds.
As Krebs notes, outdated versions of Java are the largest point of entry for malware attacks.
The latest versions of Java had numerous security problems just last month, and many security experts recommend disabling Java entirely in Web browsers.
Combined with an endorsement from Internet behemoth Yahoo, the use of outdated Java code creates a cocktail of confusion and compromised security that disproportionately affects small businesses, many of whom are ill-prepared to handle a malware or hacker attack.
Earlier this month, Yahoo was found to have failed to patch its implementation of WordPress on a developer page, allowing spammers to hijack Yahoo Mail accounts.
Last summer, hackers broke into Yahoo's servers and made off with 450,000 usernames, email addresses and unencrypted passwords corresponding to Yahoo! Voices accounts.
An email seeking comment from Yahoo was not immediately returned.