On 13-14 of May 2010 an international conference GeeCON was held. Second edition of the event devoted to the Java language and Java Virtual Machine based technologies this time took place in Poznań, at the Multikino 51 cinema.
It was organized by GiK Association, Polish Java User Group, Poznań Java User Group in cooperation with the city of Poznań, Poznań Supercomputing and Networking Center and Adam Mickiewicz Uniwersity. During two days of meetings the event gathered around 450 participants from all over the world.
The conference was opened by Thorbiörn Fritzon in lecture “The Future of Java”. Information about the future of Java was awaited especially after Oracle acquisition of Sun. Then almost 40 lectures was stared in three simultaneous sessions. Dalibor Topic show status of works on JDK 7. Bruno Bossola was convincing us to true object oriented programming and Dawid Weiss presented how fast is Java and how it can be speeded up. There were also practical demonstrations. Hans Dockter showed capabilities of Gradle, a build system. Andres Almiray presented process of creating desktop application with Griffon framework.
Presentations are available on the conference website.
Not so long ago information about the critical security flaw discovery in the Java Runtime Environment (JRE) spread across the world. Flaw which gives the possibility to run any code (malicious as well) through Java Web Start component.
For instance the error could occur during execution of a Java applet at any HTML web page. The problem was that there was no validation mechanism for command-line parameters used with the „javaws.exe” command, which was internally executed, so that it was possible to run any code (with user rights) through properly prepared HTML code.
The flaw concerned especially the Windows system family but probably it was possible to prepare attack on Linux systems as well.
It would be difficult to call the Oracle`s initial reaction as responsible – despite the reported attacks, patch was not prepared immediately. However , thanks mainly to disclosure actions of Google`s security researcher Tavis Ormandy, company decided to release (with a short delay) Update 20 of JRE, which eventually fixed the bug. Proposed by Ormandy way to execute unwanted code was after the update unsuccessful. Independently from Ormandy other security researcher – Ruben Santamarta proposed his solution of attack, which code of proof-of-concept can be checked on page: http://www.exploit-db.com/download/12122.
Eventually dangerous code was repaired and thanks to new JRE upgrade it should be safe to use Java Web Start Framework, which is widely known and often used standard – also dLibra software uses it, e.g. when running administrator/editor application from reader application.
For those who have not yet installed new JRE upgrade we give the advice to do so.