Oracle Java, easily the most attacked and successfully exploited browser plugin, is on my radar again after finding new ways to fail at security.
The first sign of trouble recently was posted on Jerry Jongerius’s site, Duckware. He described the embarrassingly broken code signing implementation in the Java Runtime Environment (JRE).
The purpose of code signing is to cryptographically ensure that you can identify who created a program and that it hasn’t been tampered with by any third parties.
For example, Oracle offers a test applet (applets are Java programs that run in your browser) to determine whether your version of Java is update to date.
When you download the applet with Java, you are prompted to run the applet with a warning that Java applets can be dangerous, the name of the applet, the publisher and the URL serving it to you.