All the latest UK technology news, reviews and analysis


IBM software vulnerabilities leave servers open to targeted attacks

08 May 2013
IBM logo in black with white text

Flaws in the latest IBM SDK Java Technology Edition software are leaving many companies' servers vulnerable to targeted attacks by hackers, according to Security Explorations and Kaspersky Lab researchers.

Security Explorations researcher Adam Gowdiak reported alerting IBM to the software issues in a public post on Monday.

"Security Explorations discovered seven additional security issues in the latest version of IBM SDK Java Technology Edition software. A majority of the new flaws are due to insecure use or implementation of Java Reflection API," wrote Gowdiak.

Kaspersky Lab security researcher, Marta Janus, told V3 that the bugs are particularly bad as they could be used by hackers to mount targeted attacks on IBM customers' servers.

"Using these vulnerabilities, criminals can bypass the IBM Java Virtual Machine security sandbox and thus get control over the targeted system," he said.

"It is worth underlining that these vulnerabilities affect the Java SDK developed by IBM for operating systems that are supported by IBM Power Systems (Linux, AIX, IBM i). These vulnerabilities could be used in targeted attacks against server systems that run IBM J9 Java Virtual Machine."

Security Explorations also discovered that a number of previously discovered bugs are also still in the software, despite being reported close to a year ago.

Gowdiak added: "We found out that four issues reported to IBM in September 2012 had not been fixed correctly by the company. Upon simple exploit codes modifications they can be still used to achieve a complete compromise of a target IBM Java environment. The problem with IBM fixes is that they aim to detect only one specific exploit vector and miss many other scenarios.

"Today, a vulnerability notice was sent to IBM corporation containing detailed information about identified weaknesses. Along with that, the company was also provided with source and binary codes for proof-of-concept codes illustrating all new security bypass issues and broken fixes."

Targeted attacks are a growing problem facing most businesses, with criminals continuing to develop new and more ingenious ways to dupe people into falling for their scams. Most recently a joint study from trade group ISACA and security firm Trend Micro, found that one in five businesses has already fallen victim to a targeted attack.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Microsoft Azure outage

Is cloud computing reliable enough for business yet?
10%
7%
20%
63%

Popular Threads

Powered by Disqus
Sony Xperia Z vs Apple iPhone 5

Sony Xperia Z vs Apple iPhone 5 head to head video review

V3 pits Sony's rugged flagship against Apple's premier handset

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Space Planning Assistant

Central London (Regent campus) Fixed Term until...

.Net Developer - VB, C#, MVC, SQL, jQuery

.Net Developer required for Bristol-based (Keynsham...

Graduate/Junior Developer

About the company: Firmstep is a leader in helping...

Database Developer - Unibet, Wimbledon

Unibet are currently looking for a Database Developer...
To send to more than one email address, simply separate each address with a comma.