Java 8 Update 40 Installer App Fun!

So perhaps you saw my previous post: Java 8 without the Adware (aka Java8Unjunker)?

Java 8 U40 App

Good stuff eh? There was something in there that got me thinking: If they didn’t sign the package, is the app doing any integrity checks on the package inside either? Hmmm let’s see…

Voice over: We’ve secretly replaced the JavaAppletPlugin.pkg package with QuickTime 7 let’s see if it can tell the difference!
Not Java

Here we go!
Sure let me authenticate right when you run before any confirmation of action – why not!? (Ugh, bad form already.)

Java8 Auth

Safe and Easy

Oh OK, “safe and easy” – I love it! But just to clarify…
By “easy” you mean: Checking lots of trust boxes and clicking “Run” buttons a lot to get a Java apps working (plus crossing your fingers)?
By “safe” you mean: a steady stream of high scored CVEs with low complexity? Or even running in Unsafe Mode when needed?

OK what’s next?

Ask

Oh dear God no! No Ask.com. UncheckNext.

Oh, right, away we go, I gave you my password at the door. Installing Java are we?
Java8 InstallingInstalled

OK I’ve successfully installed Java then if you say so… I guess I that’s proof alright!
It then takes you to the Verify Java page — but who cares about that!

What does /var/log/install.log say about what was installed?

QT7 install Java8

 

Yep it installed the QuickTime7 package we put in there and Java Updater 40.app was none the wiser.

So in conclusion… That’s a really nifty “Ask Toolbar installer” with arbitrary package installer Oracle. It’s also a great delivery vehicle for malware by nefarious folks. Heck, bundle Java along with your Trojan and the “Verify Java” page would open too! Sheesh. Is the Ask contract that lucrative? Oracle made $38 billion in revenue last year, IAC the parent of Ask.com pulled in $3 billion. I guess IAC have got money to spend and Oracle will take it (but not invest in more secure installers?)

Notes: The first attempt used a QuickTimePlayer7.6.6_SnowLeopard.pkg with an expired certificate, that halted the install. The 2nd attempt I stripped out the expired certificate. It worked. The 3rd time I downloaded a newly signed version from Apple, that too worked.

Parting note for Oracle:
Sign your critical packages! If you insist on using your glorified “Ask Toolbar installer app” to do this, then require that it verify the package integrity in some way, Orable! (heh, that was a typo but I like it: Orable, ha!)

Open JavaAppletPluginJava8 No Lock

 

Update: Oracle is now signing the package within and the installer can no longer be duped into running an arbitrary package. The version when this article was written was 1.8.40.25, it is now 1.8.40.27.

Java 8 Signed
It’s signed now!

 

Damaged Java 8
Attempted JavaAppletPlugin.pkg Replacement