So perhaps you saw my previous post: Java 8 without the Adware (aka Java8Unjunker)?
Good stuff eh? There was something in there that got me thinking: If they didn’t sign the package, is the app doing any integrity checks on the package inside either? Hmmm let’s see…
Voice over: We’ve secretly replaced the JavaAppletPlugin.pkg package with QuickTime 7 let’s see if it can tell the difference!
Here we go!
Sure let me authenticate right when you run before any confirmation of action – why not!? (Ugh, bad form already.)
Oh OK, “safe and easy” – I love it! But just to clarify…
By “easy” you mean: Checking lots of trust boxes and clicking “Run” buttons a lot to get a Java apps working (plus crossing your fingers)?
By “safe” you mean: a steady stream of high scored CVEs with low complexity? Or even running in Unsafe Mode when needed?
OK what’s next?
Oh dear God no! No Ask.com. Uncheck. Next.
Oh, right, away we go, I gave you my password at the door. Installing Java are we?
OK I’ve successfully installed Java then if you say so… I guess I that’s proof alright!
It then takes you to the Verify Java page — but who cares about that!
What does /var/log/install.log say about what was installed?
Yep it installed the QuickTime7 package we put in there and Java Updater 40.app was none the wiser.
So in conclusion… That’s a really nifty “Ask Toolbar installer” with arbitrary package installer Oracle. It’s also a great delivery vehicle for malware by nefarious folks. Heck, bundle Java along with your Trojan and the “Verify Java” page would open too! Sheesh. Is the Ask contract that lucrative? Oracle made $38 billion in revenue last year, IAC the parent of Ask.com pulled in $3 billion. I guess IAC have got money to spend and Oracle will take it (but not invest in more secure installers?)
Notes: The first attempt used a QuickTimePlayer7.6.6_SnowLeopard.pkg with an expired certificate, that halted the install. The 2nd attempt I stripped out the expired certificate. It worked. The 3rd time I downloaded a newly signed version from Apple, that too worked.
Parting note for Oracle:
Sign your critical packages! If you insist on using your glorified “Ask Toolbar installer app” to do this, then require that it verify the package integrity in some way, Orable! (heh, that was a typo but I like it: Orable, ha!)
Update: Oracle is now signing the package within and the installer can no longer be duped into running an arbitrary package. The version when this article was written was 220.127.116.11, it is now 18.104.22.168.