{"id":663,"date":"2015-03-06T04:14:10","date_gmt":"2015-03-06T09:14:10","guid":{"rendered":"http:\/\/www.brunerd.com\/blog\/?p=663"},"modified":"2015-03-28T18:35:44","modified_gmt":"2015-03-28T23:35:44","slug":"java-8-update-40-installer-app-fun","status":"publish","type":"post","link":"https:\/\/www.brunerd.com\/blog\/2015\/03\/06\/java-8-update-40-installer-app-fun\/","title":{"rendered":"Java 8 Update 40 Installer App Fun!"},"content":{"rendered":"<p>So perhaps\u00a0you saw my previous post:\u00a0<a href=\"http:\/\/www.brunerd.com\/blog\/2015\/03\/06\/java-8-without-the-adware-aka-java8unjunker\/\" rel=\"bookmark\">Java 8 without the Adware (aka Java8Unjunker)<\/a>?<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-664\" src=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java-8-U40-App.png\" alt=\"Java 8 U40 App\" width=\"97\" height=\"108\" \/><\/p>\n<p>Good stuff eh? There was something\u00a0in there that got me thinking: If they <em>didn&#8217;t sign the package<\/em>, is the app doing <em>any<\/em> integrity checks on the package inside either? Hmmm let&#8217;s see&#8230;<\/p>\n<p>Voice over: We&#8217;ve secretly replaced the JavaAppletPlugin.pkg package with QuickTime 7 let&#8217;s see if\u00a0it can tell the difference!<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-665\" src=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Not-Java.png\" alt=\"Not Java\" width=\"751\" height=\"408\" srcset=\"https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Not-Java.png 751w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Not-Java-300x163.png 300w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Not-Java-500x272.png 500w\" sizes=\"auto, (max-width: 751px) 100vw, 751px\" \/><\/p>\n<p>Here we go!<br \/>\nSure let me authenticate right when you run before any confirmation of action &#8211; why not!? (Ugh,\u00a0bad form already.)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-666\" src=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-Auth.png\" alt=\"Java8 Auth\" width=\"555\" height=\"344\" srcset=\"https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-Auth.png 555w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-Auth-300x186.png 300w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-Auth-484x300.png 484w\" sizes=\"auto, (max-width: 555px) 100vw, 555px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-667\" src=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Safe-and-Easy.png\" alt=\"Safe and Easy\" width=\"602\" height=\"514\" srcset=\"https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Safe-and-Easy.png 602w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Safe-and-Easy-300x256.png 300w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Safe-and-Easy-351x300.png 351w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<p>Oh OK, <strong>&#8220;safe and easy&#8221;<\/strong> &#8211; I love it! But just to clarify&#8230;<br \/>\nBy &#8220;easy&#8221; you mean: Checking lots of trust boxes and clicking &#8220;Run&#8221; buttons a lot to get\u00a0a Java apps working (plus\u00a0crossing your fingers)?<br \/>\nBy &#8220;safe&#8221; you mean: a <a href=\"http:\/\/www.cvedetails.com\/vulnerability-list\/vendor_id-93\/product_id-19117\/Oracle-JRE.html\">steady stream of high scored\u00a0CVEs\u00a0with\u00a0low complexity<\/a>?\u00a0Or even running in Unsafe Mode when needed?<\/p>\n<p>OK what&#8217;s next?<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-668\" src=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Ask1.png\" alt=\"Ask\" width=\"602\" height=\"514\" srcset=\"https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Ask1.png 602w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Ask1-300x256.png 300w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Ask1-351x300.png 351w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<p>Oh <span style=\"text-decoration: underline;\">dear God no<\/span>! No Ask.com.\u00a0<strong>Uncheck<\/strong>.\u00a0<strong>Next<\/strong>.<\/p>\n<p>Oh, right, away we go, I gave you my password at the door.\u00a0Installing Java are we?<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-669\" src=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-Installing.png\" alt=\"Java8 Installing\" width=\"602\" height=\"514\" srcset=\"https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-Installing.png 602w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-Installing-300x256.png 300w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-Installing-351x300.png 351w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-670\" src=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Installed.png\" alt=\"Installed\" width=\"602\" height=\"514\" srcset=\"https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Installed.png 602w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Installed-300x256.png 300w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Installed-351x300.png 351w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<p>OK I&#8217;ve successfully installed Java then if you say so&#8230; I guess I that&#8217;s proof alright!<br \/>\nIt then takes you to the <a href=\"https:\/\/java.com\/en\/download\/installed.jsp\">Verify Java page<\/a>\u00a0\u2014 but who cares about that!<\/p>\n<p>What does <strong>\/var\/log\/install.log<\/strong>\u00a0say about what\u00a0was\u00a0installed?<\/p>\n<p><a href=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/QT7-install-Java8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-671\" src=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/QT7-install-Java8-300x189.png\" alt=\"QT7 install Java8\" width=\"300\" height=\"189\" srcset=\"https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/QT7-install-Java8-300x189.png 300w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/QT7-install-Java8-1024x644.png 1024w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/QT7-install-Java8-477x300.png 477w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/QT7-install-Java8.png 1451w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>Yep it installed the <strong>QuickTime7<\/strong> package we put in there and Java Updater 40.app was none the wiser.<\/p>\n<p>So in conclusion&#8230; That&#8217;s a really nifty &#8220;Ask Toolbar installer&#8221;\u00a0with arbitrary package installer Oracle. It&#8217;s also a great delivery vehicle\u00a0for malware by\u00a0nefarious\u00a0folks. Heck, bundle Java along with your Trojan and the &#8220;Verify Java&#8221; page would open too!\u00a0Sheesh. Is the Ask\u00a0contract that lucrative?\u00a0Oracle made\u00a0<a href=\"http:\/\/en.wikipedia.org\/wiki\/Oracle_Corporation\">$38 billion<\/a> in revenue last year, IAC the parent of Ask.com pulled in <a href=\"http:\/\/en.wikipedia.org\/wiki\/IAC_(company)\">$3 billion<\/a>.\u00a0I guess IAC have\u00a0got money to spend and Oracle will take it (but not invest in more secure installers?)<\/p>\n<p>Notes: The first\u00a0attempt used a\u00a0QuickTimePlayer7.6.6_SnowLeopard.pkg with an expired certificate, that halted the install. The 2nd attempt I stripped out the expired certificate. It worked. The 3rd time I downloaded a\u00a0newly signed version from Apple, that too worked.<\/p>\n<p>Parting note for Oracle:<br \/>\nSign your critical packages! If you insist on using your glorified &#8220;Ask Toolbar installer app&#8221; to do this, then require that\u00a0it verify\u00a0the package integrity in some way, Orable! (heh, that was a typo but I like it: <strong>Orable<\/strong>, ha!)<\/p>\n<p><a href=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Open-JavaAppletPlugin.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-657\" src=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Open-JavaAppletPlugin-300x186.png\" alt=\"Open JavaAppletPlugin\" width=\"300\" height=\"186\" srcset=\"https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Open-JavaAppletPlugin-300x186.png 300w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Open-JavaAppletPlugin-484x300.png 484w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Open-JavaAppletPlugin.png 532w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><a href=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-No-Lock.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-672\" src=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-No-Lock-300x222.png\" alt=\"Java8 No Lock\" width=\"300\" height=\"222\" srcset=\"https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-No-Lock-300x222.png 300w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-No-Lock-405x300.png 405w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java8-No-Lock.png 704w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>Update: Oracle is now signing the package within and the installer can no longer be duped into running an arbitrary package. The\u00a0version when this article was written was\u00a01.8.40.25, it is now\u00a01.8.40.27.<\/p>\n<figure id=\"attachment_680\" class=\"thumbnail wp-caption aligncenter\" style=\"width: 310px\"><a href=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java-8-Signed.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-680 size-medium\" src=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java-8-Signed-300x225.png\" alt=\"Java 8 Signed\" width=\"300\" height=\"225\" srcset=\"https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java-8-Signed-300x225.png 300w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java-8-Signed-399x300.png 399w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Java-8-Signed.png 732w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><figcaption class=\"caption wp-caption-text\">It&#8217;s signed now!<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_679\" class=\"thumbnail wp-caption aligncenter\" style=\"width: 542px\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-679 size-full\" src=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Damaged-Java-8.png\" alt=\"Damaged Java 8\" width=\"532\" height=\"288\" srcset=\"https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Damaged-Java-8.png 532w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Damaged-Java-8-300x162.png 300w, https:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/Damaged-Java-8-500x271.png 500w\" sizes=\"auto, (max-width: 532px) 100vw, 532px\" \/><figcaption class=\"caption wp-caption-text\">Attempted JavaAppletPlugin.pkg Replacement<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So perhaps\u00a0you saw my previous post:\u00a0Java 8 without the Adware (aka Java8Unjunker)? Good stuff eh? There was something\u00a0in there that got me thinking: If they didn&#8217;t sign the package, is the app doing any integrity checks on the package inside either? Hmmm let&#8217;s see&#8230; Voice over: We&#8217;ve secretly replaced the JavaAppletPlugin.pkg package with QuickTime 7 [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,5,8],"tags":[],"class_list":["post-663","post","type-post","status-publish","format-standard","hentry","category-os-x","category-packages","category-security"],"_links":{"self":[{"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/posts\/663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/comments?post=663"}],"version-history":[{"count":3,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/posts\/663\/revisions"}],"predecessor-version":[{"id":681,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/posts\/663\/revisions\/681"}],"wp:attachment":[{"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/media?parent=663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/categories?post=663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/tags?post=663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}