Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Java Malicious App Alert System Tricked

Developer hacks Java security warnings to display fake app names; Oracle reportedly prepping a fix.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Attackers can spoof information relayed by the Java 7 malicious app warning system.

So says programmer Jerry Jongerius, who has released a "Java Code Signing Failure" alert detailing how app names displayed by Java security dialog boxes can be arbitrarily changed.

Java first unveiled its malicious app warning system in April -- to mixed reviews -- with the release of Java 7 update 21. The system is designed to warn users not to execute any Java app that hasn't been signed with a digital certificate. For signed apps, the warning system asks users if they want to proceed, and relays information to help them make their decision, including the name of the signed app, source and publisher.

[ Digital forensics is a growing field. Read New Security Trend: Bring Your Own Attorney. ]

But Jongerius, who runs a software development firm called Duckware, found flaws in that warning system that allowed him to not only rename digitally signed apps, but also serve apps from unapproved domains. He published an interactive test that demonstrates how the flaws can be exploited, using Oracle's own "Java Detection" applet, which is available via java.com.

"You can enter the name that you want to appear in the Java security dialog popup," he said via email. For example, the test's default name is set to "Credit Card Information Stealer," and if the test is run, an up-to-date version of the Java browser plug-in will display a security warning, asking the user if he wants to execute the "Credit Card Information Stealer," which the Java plug-in certifies is from "www.java.com" and signed by publisher "Oracle America, Inc." Again, no matter the name change, the applet is still Oracle's "Java Detection" applet.

Call it "basic failure by Oracle in code signing 101 rules," said Jongerius, who noted that any such system should "only present information to the end user that was actually signed by the publisher" -- no more, no less.

In addition, Jongerius was able to bypass restrictions on the site from which a signed app could be run. "Oracle has signed their applet to only run from java.com -- but it is running on my web page. The signed applet, with access to the entire computer, then calls JavaScript in my web page," he said. "Somehow I don't think that is what Oracle intended when they signed their app to only run on java.com -- meaning that their 'codebase' method of restricting repurposing is not working and not well thought out."

An Oracle spokeswoman didn't immediately respond to an email asking if the company had confirmed the vulnerability or was readying a fix. But Jongerius said that the U.S. Computer Emergency Response Team -- with which he shared details of the vulnerability -- emailed him that "Oracle is aware of the issue and is targeting a fix for a future update." Jongerius also noted that "my Web logs show that Oracle has hit that page a lot," referring to the proof-of-concept test page he created.

What's the threat to Java users from this vulnerability? Jongerius said that although "the risk is very small," attackers might take a legitimate tool, such as a remote-control utility that most users would never run, and package it as a more innocuous utility, titled for example as a Java version detector. "The user then runs it, seeing only 'Java Detection,' the hacker then outputs some 'Java information' and the user thinks it works and is done -- but they are now running remote control software," he said.

"The larger issue is that Oracle is presenting an application name to the user that the publisher never even signed, that anyone can change -- is crazy," he said.

Veteran Java bug hunter Adam Gowdiak, CEO of Security Explorations, also downplayed any risks to users from the vulnerability. "Alone, it does not pose a direct security risk," he said via email. "It could, however, cause unnecessary confusion for Java users [and] undermine their trust in [the] security warning shown or credibility of a digital signature verification process."

Fixing the problem should be simple. "The application 'Name' presented to the end user must come from the signed application" -- for example, by storing that name value inside a signed JAR (Java archive) file, said Jongerius.

Gowdiak agreed with that fix suggestion. "Oracle should consider adding a new attribute to the JAR Manifest file that would stand for the signed application name and could be digitally signed as well," he said. But the current JAR manifest specification doesn't include an attribute for an application name. "This could be the reason for the use of applet tag parameters -- such as 'name' -- that are not part of a digital signature verification process," he said, and which Jongerius was thus able to spoof.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...