Marc's Blog

Things from me about me …

Recent JAVA 0-day exploit takes down online banking in Luxembourg


The online banking in Luxembourg can be combined with certificates from LuxTrust to ease the login and electronic signing of banking transactions. LuxTrust delivers the digital certificates on a SIM card to the enduser who is then required to use a specific hardware device and middleware software to use the certificates.

Most banks use a JAVA applet to reach the middleware which has now proven to be a very serious single point of failure. Mozilla and Google deactivated the JAVA plugins in their browsers on January 12th, 2013 leaving the online banking portals with no access to the LuxTrust Middleware.

ORACLE has announced a patch for the exploit but didn’t announce a release date. LuxTrust users shouldn’t expect a solution within a short time frame and they will need to revert to the proprietary login procedures applied by each bank.

The issue shows how tightly the services provided by LuxTrust and LuxTrust partners are bound towards a single piece of software. While the usage of a JAVA applet and the JAVA security features should protect the LuxTrust services, the issue also clearly shows how vulnerable the product becomes in case on element in the production chain becomes compromised.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: