UPDATE: It appears that Java 7 update 51 fixes this security hole.

This web page demonstrates that the Application "Name" in Java Security popups can be easily forged (full details):
  1. Make sure you are running Java 1.6, or later -- but if you are not running the latest Java (1.7.0_40 as of now), upgrade immediately due to many security vulnerabilities
  2. Enter a forged application name below and press 'Test Java' -- The "Java Detection" applet from java.com will be run inside this web page with the forged name entered below.
  3. If asked if you want to run Java (like in Chrome), answer yes
  4. You will then get a security dialog from Java -- note the 'Name' in the popup dialog -- that Java says is running from www.java.com signed by Publisher Oracle America, Inc.
  5. Press 'cancel' to prevent the java code from running -- Or press Run to allow the code to run (you will get a JavaScript popup from this web page with the Java version information) and ask yourself why Oracle's Java Detection applet, signed to only run on java.com, is running inside this web page, and calling JavaScript in this web page!


This web page was tested and works under XP/IE8/Java6, Win7/IE10/Java7, and Win7/Chrome29/Java7