Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Java Malicious App Alert System Tricked

Developer hacks Java security warnings to display fake app names; Oracle reportedly prepping a fix.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Attackers can spoof information relayed by the Java 7 malicious app warning system.

So says programmer Jerry Jongerius, who has released a "Java Code Signing Failure" alert detailing how app names displayed by Java security dialog boxes can be arbitrarily changed.

Java first unveiled its malicious app warning system in April -- to mixed reviews -- with the release of Java 7 update 21. The system is designed to warn users not to execute any Java app that hasn't been signed with a digital certificate. For signed apps, the warning system asks users if they want to proceed, and relays information to help them make their decision, including the name of the signed app, source and publisher.

[ Digital forensics is a growing field. Read New Security Trend: Bring Your Own Attorney. ]

But Jongerius, who runs a software development firm called Duckware, found flaws in that warning system that allowed him to not only rename digitally signed apps, but also serve apps from unapproved domains. He published an interactive test that demonstrates how the flaws can be exploited, using Oracle's own "Java Detection" applet, which is available via java.com.

"You can enter the name that you want to appear in the Java security dialog popup," he said via email. For example, the test's default name is set to "Credit Card Information Stealer," and if the test is run, an up-to-date version of the Java browser plug-in will display a security warning, asking the user if he wants to execute the "Credit Card Information Stealer," which the Java plug-in certifies is from "www.java.com" and signed by publisher "Oracle America, Inc." Again, no matter the name change, the applet is still Oracle's "Java Detection" applet.

Call it "basic failure by Oracle in code signing 101 rules," said Jongerius, who noted that any such system should "only present information to the end user that was actually signed by the publisher" -- no more, no less.

In addition, Jongerius was able to bypass restrictions on the site from which a signed app could be run. "Oracle has signed their applet to only run from java.com -- but it is running on my web page. The signed applet, with access to the entire computer, then calls JavaScript in my web page," he said. "Somehow I don't think that is what Oracle intended when they signed their app to only run on java.com -- meaning that their 'codebase' method of restricting repurposing is not working and not well thought out."

An Oracle spokeswoman didn't immediately respond to an email asking if the company had confirmed the vulnerability or was readying a fix. But Jongerius said that the U.S. Computer Emergency Response Team -- with which he shared details of the vulnerability -- emailed him that "Oracle is aware of the issue and is targeting a fix for a future update." Jongerius also noted that "my Web logs show that Oracle has hit that page a lot," referring to the proof-of-concept test page he created.

What's the threat to Java users from this vulnerability? Jongerius said that although "the risk is very small," attackers might take a legitimate tool, such as a remote-control utility that most users would never run, and package it as a more innocuous utility, titled for example as a Java version detector. "The user then runs it, seeing only 'Java Detection,' the hacker then outputs some 'Java information' and the user thinks it works and is done -- but they are now running remote control software," he said.

"The larger issue is that Oracle is presenting an application name to the user that the publisher never even signed, that anyone can change -- is crazy," he said.

Veteran Java bug hunter Adam Gowdiak, CEO of Security Explorations, also downplayed any risks to users from the vulnerability. "Alone, it does not pose a direct security risk," he said via email. "It could, however, cause unnecessary confusion for Java users [and] undermine their trust in [the] security warning shown or credibility of a digital signature verification process."

Fixing the problem should be simple. "The application 'Name' presented to the end user must come from the signed application" -- for example, by storing that name value inside a signed JAR (Java archive) file, said Jongerius.

Gowdiak agreed with that fix suggestion. "Oracle should consider adding a new attribute to the JAR Manifest file that would stand for the signed application name and could be digitally signed as well," he said. But the current JAR manifest specification doesn't include an attribute for an application name. "This could be the reason for the use of applet tag parameters -- such as 'name' -- that are not part of a digital signature verification process," he said, and which Jongerius was thus able to spoof.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4966
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the...
CVE-2020-4968
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192427.
CVE-2020-4969
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniq...
CVE-2020-26285
PUBLISHED: 2021-01-21
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to import/export data and to create widget instances was able to inject an exe...
CVE-2020-26295
PUBLISHED: 2021-01-21
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml. The latest OpenMage Versions up from 19.4.9 and ...