UPDATE: It appears that Java 7 update 51 fixes this security hole.
This web page demonstrates that the Application "Name" in Java Security popups can be easily forged (full details):
Make sure you are running Java 1.6, or later
-- but if you are not running the latest Java (1.7.0_40 as of now), upgrade immediately due to
many security vulnerabilities
Enter a forged application name below and press 'Test Java' -- The "Java Detection" applet
from java.com will be run inside this web page with the forged name entered below.
If asked if you want to run Java (like in Chrome), answer yes
You will then get a security dialog from Java -- note the 'Name' in the popup
dialog -- that Java says is running from www.java.com signed by
Publisher Oracle America, Inc.
Press 'cancel' to prevent the java code from running -- Or press Run to allow the code to
run (you will get a JavaScript popup from this web page with the Java version
information) and ask yourself why Oracle's Java Detection applet, signed to only run
on java.com, is running inside this web page, and calling JavaScript in this web page!
This web page was tested and works under XP/IE8/Java6, Win7/IE10/Java7, and Win7/Chrome29/Java7