Is there any way of working around Citibank's Citidirect forcing usage of vulnerable Java Runtime Enviromnent, as it is described in my posting on Full Disclosure?
When Java 5 was still supported installing two versions of Java made a trick - Citidirect worked with unsupported version as long as supported old version was also installed. Only latest version of Java files were open so I think it was secure. But it does not work with Java 6.
Maybe there's a way of limiting Java plugin to one domain, for example citibank.com? Java is not needed for anything else. My users have Windows XP Professional and use Internet Explorer 8 as a browser.
I looks like the answer is:
Make public announcement on Full Disclosure about putting users at risk and coincidentally latest1 Java version will start to be supported in 2 days…
1 Not exactly latest, as at the same time a new version was published by Oracle. But this new version officially does not contain any security fixes.
How about running it in VMs/Citrix/TS or similar - isolating your users from the risk - just a thought.