So perhapsÂ you saw my previous post:Â Java 8 without the Adware (aka Java8Unjunker)?
Good stuff eh? There was somethingÂ in there that got me thinking: If they didn’t sign the package, is the app doing any integrity checks on the package inside either? Hmmm let’s see…
Voice over: We’ve secretly replaced the JavaAppletPlugin.pkg package with QuickTime 7 let’s see ifÂ it can tell the difference!
Here we go!
Sure let me authenticate right when you run before any confirmation of action – why not!? (Ugh,Â bad form already.)
Oh OK, “safe and easy” – I love it! But just to clarify…
By “easy” you mean: Checking lots of trust boxes and clicking “Run” buttons a lot to getÂ a Java apps working (plusÂ crossing your fingers)?
By “safe” you mean: a steady stream of high scoredÂ CVEsÂ withÂ low complexity?Â Or even running in Unsafe Mode when needed?
OK what’s next?
Oh dear God no! No Ask.com.Â Uncheck.Â Next.
Oh, right, away we go, I gave you my password at the door.Â Installing Java are we?
OK I’ve successfully installed Java then if you say so… I guess I that’s proof alright!
It then takes you to the Verify Java pageÂ â€” but who cares about that!
What does /var/log/install.logÂ say about whatÂ wasÂ installed?
Yep it installed the QuickTime7 package we put in there and Java Updater 40.app was none the wiser.
So in conclusion… That’s a really nifty “Ask Toolbar installer”Â with arbitrary package installer Oracle. It’s also a great delivery vehicleÂ for malware byÂ nefariousÂ folks. Heck, bundle Java along with your Trojan and the “Verify Java” page would open too!Â Sheesh. Is the AskÂ contract that lucrative?Â Oracle madeÂ $38 billion in revenue last year, IAC the parent of Ask.com pulled in $3 billion.Â I guess IAC haveÂ got money to spend and Oracle will take it (but not invest in more secure installers?)
Notes: The firstÂ attempt used aÂ QuickTimePlayer7.6.6_SnowLeopard.pkg with an expired certificate, that halted the install. The 2nd attempt I stripped out the expired certificate. It worked. The 3rd time I downloaded aÂ newly signed version from Apple, that too worked.
Parting note for Oracle:
Sign your critical packages! If you insist on using your glorified “Ask Toolbar installer app” to do this, then require thatÂ it verifyÂ the package integrity in some way, Orable! (heh, that was a typo but I like it: Orable, ha!)
Update: Oracle is now signing the package within and the installer can no longer be duped into running an arbitrary package. TheÂ version when this article was written wasÂ 220.127.116.11, it is nowÂ 18.104.22.168.