If you spent the last few years of your life worrying about various Adobe PDF exploits, it is time for some fresh news. Java is taking over Adobe products in the exploits category, and a recent Java digital signature exploit takes things even further in the threat arena. Cybercriminals have started using flaws in Java digital certificate checks to run their malicious code through web-browsers. The misbehaving application is usually signed with a trusted certificate, making it impossible to spot any malicious behavior at first glance.
A similar signed and infected application was found on the website of Chemnitz University of Technology in Germany. The application was signed with a known Web-exploit toolkit called g01pack , which was probably developed by the Iranian Cyber Army. The first sample of the attack was discovered on Feb 28.
Java 7 brought a new awesome feature called Security Control to the table. With update 11 of Java 7, the security level was set to high, requiring users to approve if they wanted to run an applet irrespective of whether it was signed or not. However, unsigned applications showed a clear security warning, whereas signed application simply showed a confirmation dialog, though with the same call to action. In case of this malicious application too, the warning dialog was that of a signed application. However, on closer manual inspection, it was seen that the application was signed with a certificate that was revoked in December last year. Clearly, Java does not check for revoked certificates by default.