Not so long ago information about the critical security flaw discovery in the Java Runtime Environment (JRE) spread across the world. Flaw which gives the possibility to run any code (malicious as well) through Java Web Start component.
For instance the error could occur during execution of a Java applet at any HTML web page. The problem was that there was no validation mechanism for command-line parameters used with the „javaws.exe” command, which was internally executed, so that it was possible to run any code (with user rights) through properly prepared HTML code.
The flaw concerned especially the Windows system family but probably it was possible to prepare attack on Linux systems as well.
It would be difficult to call the Oracle`s initial reaction as responsible – despite the reported attacks, patch was not prepared immediately. However , thanks mainly to disclosure actions of Google`s security researcher Tavis Ormandy, company decided to release (with a short delay) Update 20 of JRE, which eventually fixed the bug. Proposed by Ormandy way to execute unwanted code was after the update unsuccessful. Independently from Ormandy other security researcher – Ruben Santamarta proposed his solution of attack, which code of proof-of-concept can be checked on page: http://www.exploit-db.com/download/12122.
Eventually dangerous code was repaired and thanks to new JRE upgrade it should be safe to use Java Web Start Framework, which is widely known and often used standard – also dLibra software uses it, e.g. when running administrator/editor application from reader application.
For those who have not yet installed new JRE upgrade we give the advice to do so.