Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Java Malicious App Alert System Tricked

Developer hacks Java security warnings to display fake app names; Oracle reportedly prepping a fix.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Attackers can spoof information relayed by the Java 7 malicious app warning system.

So says programmer Jerry Jongerius, who has released a "Java Code Signing Failure" alert detailing how app names displayed by Java security dialog boxes can be arbitrarily changed.

Java first unveiled its malicious app warning system in April -- to mixed reviews -- with the release of Java 7 update 21. The system is designed to warn users not to execute any Java app that hasn't been signed with a digital certificate. For signed apps, the warning system asks users if they want to proceed, and relays information to help them make their decision, including the name of the signed app, source and publisher.

[ Digital forensics is a growing field. Read New Security Trend: Bring Your Own Attorney. ]

But Jongerius, who runs a software development firm called Duckware, found flaws in that warning system that allowed him to not only rename digitally signed apps, but also serve apps from unapproved domains. He published an interactive test that demonstrates how the flaws can be exploited, using Oracle's own "Java Detection" applet, which is available via java.com.

"You can enter the name that you want to appear in the Java security dialog popup," he said via email. For example, the test's default name is set to "Credit Card Information Stealer," and if the test is run, an up-to-date version of the Java browser plug-in will display a security warning, asking the user if he wants to execute the "Credit Card Information Stealer," which the Java plug-in certifies is from "www.java.com" and signed by publisher "Oracle America, Inc." Again, no matter the name change, the applet is still Oracle's "Java Detection" applet.

Call it "basic failure by Oracle in code signing 101 rules," said Jongerius, who noted that any such system should "only present information to the end user that was actually signed by the publisher" -- no more, no less.

In addition, Jongerius was able to bypass restrictions on the site from which a signed app could be run. "Oracle has signed their applet to only run from java.com -- but it is running on my web page. The signed applet, with access to the entire computer, then calls JavaScript in my web page," he said. "Somehow I don't think that is what Oracle intended when they signed their app to only run on java.com -- meaning that their 'codebase' method of restricting repurposing is not working and not well thought out."

An Oracle spokeswoman didn't immediately respond to an email asking if the company had confirmed the vulnerability or was readying a fix. But Jongerius said that the U.S. Computer Emergency Response Team -- with which he shared details of the vulnerability -- emailed him that "Oracle is aware of the issue and is targeting a fix for a future update." Jongerius also noted that "my Web logs show that Oracle has hit that page a lot," referring to the proof-of-concept test page he created.

What's the threat to Java users from this vulnerability? Jongerius said that although "the risk is very small," attackers might take a legitimate tool, such as a remote-control utility that most users would never run, and package it as a more innocuous utility, titled for example as a Java version detector. "The user then runs it, seeing only 'Java Detection,' the hacker then outputs some 'Java information' and the user thinks it works and is done -- but they are now running remote control software," he said.

"The larger issue is that Oracle is presenting an application name to the user that the publisher never even signed, that anyone can change -- is crazy," he said.

Veteran Java bug hunter Adam Gowdiak, CEO of Security Explorations, also downplayed any risks to users from the vulnerability. "Alone, it does not pose a direct security risk," he said via email. "It could, however, cause unnecessary confusion for Java users [and] undermine their trust in [the] security warning shown or credibility of a digital signature verification process."

Fixing the problem should be simple. "The application 'Name' presented to the end user must come from the signed application" -- for example, by storing that name value inside a signed JAR (Java archive) file, said Jongerius.

Gowdiak agreed with that fix suggestion. "Oracle should consider adding a new attribute to the JAR Manifest file that would stand for the signed application name and could be digitally signed as well," he said. But the current JAR manifest specification doesn't include an attribute for an application name. "This could be the reason for the use of applet tag parameters -- such as 'name' -- that are not part of a digital signature verification process," he said, and which Jongerius was thus able to spoof.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16593
PUBLISHED: 2019-06-19
The Photo Sharing Plus component on Sony Bravia TV through 8.587 devices allows Shell Metacharacter Injection.
CVE-2018-16594
PUBLISHED: 2019-06-19
The Photo Sharing Plus component on Sony Bravia TV through 8.587 devices allows Directory Traversal.
CVE-2018-16595
PUBLISHED: 2019-06-19
The Photo Sharing Plus component on Sony Bravia TV through 8.587 devices has a Buffer Overflow.
CVE-2019-12890
PUBLISHED: 2019-06-19
RedwoodHQ 2.5.5 does not require any authentication for database operations, which allows remote attackers to create admin users via a con.automationframework users insert_one call.
CVE-2019-9763
PUBLISHED: 2019-06-19
An issue was discovered in Openfind Mail2000 v6 Webmail. XSS can occur via an '<object data="data:text/html' substring in an e-mail message (The vendor subsequently patched this).