All the latest UK technology news, reviews and analysis

IBM software vulnerabilities leave servers open to targeted attacks

08 May 2013
IBM logo in black with white text

Flaws in the latest IBM SDK Java Technology Edition software are leaving many companies' servers vulnerable to targeted attacks by hackers, according to Security Explorations and Kaspersky Lab researchers.

Security Explorations researcher Adam Gowdiak reported alerting IBM to the software issues in a public post on Monday.

"Security Explorations discovered seven additional security issues in the latest version of IBM SDK Java Technology Edition software. A majority of the new flaws are due to insecure use or implementation of Java Reflection API," wrote Gowdiak.

Kaspersky Lab security researcher, Marta Janus, told V3 that the bugs are particularly bad as they could be used by hackers to mount targeted attacks on IBM customers' servers.

"Using these vulnerabilities, criminals can bypass the IBM Java Virtual Machine security sandbox and thus get control over the targeted system," he said.

"It is worth underlining that these vulnerabilities affect the Java SDK developed by IBM for operating systems that are supported by IBM Power Systems (Linux, AIX, IBM i). These vulnerabilities could be used in targeted attacks against server systems that run IBM J9 Java Virtual Machine."

Security Explorations also discovered that a number of previously discovered bugs are also still in the software, despite being reported close to a year ago.

Gowdiak added: "We found out that four issues reported to IBM in September 2012 had not been fixed correctly by the company. Upon simple exploit codes modifications they can be still used to achieve a complete compromise of a target IBM Java environment. The problem with IBM fixes is that they aim to detect only one specific exploit vector and miss many other scenarios.

"Today, a vulnerability notice was sent to IBM corporation containing detailed information about identified weaknesses. Along with that, the company was also provided with source and binary codes for proof-of-concept codes illustrating all new security bypass issues and broken fixes."

Targeted attacks are a growing problem facing most businesses, with criminals continuing to develop new and more ingenious ways to dupe people into falling for their scams. Most recently a joint study from trade group ISACA and security firm Trend Micro, found that one in five businesses has already fallen victim to a targeted attack.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Network Security Analyst - (CISCO, Security, Juniper)

Network Security Analyst - (CISCO, Security, Juniper...

It Support Technician (Windows, Help Desk, Customer Service)

It Support Technician (Windows, Help Desk, Customer Service...

Support Engineer - 1st line, Linux, Systems, Python, Support

Support Engineer - 1st line, Linux, Systems, Python...

C# Full Stack Developer (SQL, WCF, MVC, TDD, Middleware)

C# Full Stack Developer (SQL, WCF, MVC, TDD, Middleware...
To send to more than one email address, simply separate each address with a comma.