In Java 7 Update 21, Oracle introduced a system that warns users if they are about to execute an app not signed with a digital certificate, but a security expert found it is easy to forge the name of the app that appears in the security dialog.
“The problem is that the ‘Name’ in this ‘security’ dialog contains an unsigned application name that can be easily forged (it comes from the unsigned web page) – at will – by anyone – a basic failure by Oracle in code signing 101 rules – only present information to the end user that was actually signed by the Publisher,” said Jerry Jongerius, the founder of Duckware, and the person who found this and other flaws in Java.
Jongerius developed a test page that demonstrates the application name in the Java security dialog window can end up changed.
Jongerius said this shows the level of trust with the new Java security dialogs is not entirely accurate.
He said the risk associated with this vulnerability is low. However, a hacker could compromise an unsuspecting user’s computer simply by tricking him into running a malicious app disguised as an innocent, trusted application.
Jongerius said Oracle already knew about since several people from the company’s IP addresses visited the test page he developed.
In addition to the name, an attacker could also change the name of the JAR file displayed in the security dialog.
“Once a Publisher signs a JAR file, there is NO legitimate reason (other than hacker activity) for Oracle to allow the JAR to be renamed to something else,” Jongerius said.
Finally, Jongerius said Oracle’s new MANIFEST.MF “codebase” attribute, which should prevent a repurposed app, and the Java sandbox don’t work properly.