Security Explorations researcher Adam Gowdiak reported alerting IBM to the software issues in a public post on Monday.
"Security Explorations discovered seven additional security issues in
the latest version of IBM SDK Java Technology Edition software. A
majority of the new flaws are due to insecure use or implementation of
Java Reflection API," wrote Gowdiak.Kaspersky Lab security researcher, Marta Janus, told V3 that the bugs are particularly bad as they could be used by hackers to mount targeted attacks on IBM customers' servers.
"Using these vulnerabilities, criminals can bypass the IBM Java Virtual Machine security sandbox and thus get control over the targeted system," he said.
"It is worth underlining that these vulnerabilities affect the Java SDK developed by IBM for operating systems that are supported by IBM Power Systems (Linux, AIX, IBM i). These vulnerabilities could be used in targeted attacks against server systems that run IBM J9 Java Virtual Machine."
Security Explorations also discovered that a number of previously discovered bugs are also still in the software, despite being reported close to a year ago.
Gowdiak added: "We found out that four issues reported to IBM in September 2012 had not been fixed correctly by the company. Upon simple exploit codes modifications they can be still used to achieve a complete compromise of a target IBM Java environment. The problem with IBM fixes is that they aim to detect only one specific exploit vector and miss many other scenarios.
"Today, a vulnerability notice was sent to IBM corporation containing detailed information about identified weaknesses. Along with that, the company was also provided with source and binary codes for proof-of-concept codes illustrating all new security bypass issues and broken fixes."
Targeted attacks are a growing problem facing most businesses, with criminals continuing to develop new and more ingenious ways to dupe people into falling for their scams. Most recently a joint study from trade group ISACA and security firm Trend Micro, found that one in five businesses has already fallen victim to a targeted attack.
No comments:
Post a Comment