That's only true if Java's signature validation isn't vulnerable (or at least is no more vulnerable than the signature verification for a normal OS).
Searching around, it looks like there was at least one vulnerability like this, in which Java failed to check certificates for revocation, and at least one exploit was found in the wild signed with a stolen, revoked certificate that Java still accepted.
This is especially fun because Java at least tries to sandbox unsigned applets, but signed applets get a lot more privileges.
Searching around, it looks like there was at least one vulnerability like this, in which Java failed to check certificates for revocation, and at least one exploit was found in the wild signed with a stolen, revoked certificate that Java still accepted.
This is especially fun because Java at least tries to sandbox unsigned applets, but signed applets get a lot more privileges.