The research firm Security Explorations issued a proof-of-concept code that shows a supposedly patched IBM Java issue is still vulnerable.
Adam Gowdiak, CEO of Security Explorations, posted at Full Disclosure that the fix put in place by IBM three years ago to patch a flaw in IBM Java had an easy work around and that all Big Blue had done when installing the patch was bury the problem inside the code. Gowdiak’s team first pointed out the problem, labeled Issue 67, to IBM in May 2013.
“The actual root cause of the issue hasn’t been addressed at all. There were no security checks introduced anywhere in the code. The patch relied solely on the idea that hiding the vulnerable method deep in the code and behind a Proxy class would be sufficient to address the issue,” he wrote.
To prove its point Security Explorations posted a proof-of-concept code.
“IBM is aware of the vulnerability and is working to address the issue,” IBM told SCMagazine.com Thursday in an emailed statement.
Gowdiak said this was not the first time IBM had been unresponsive to one of his company’s findings.
“This is the 6th instance of a broken patch we encountered from IBM. Previously, the company failed to address 4 other issues (with one of them improperly patched for two times in a row),” he wrote.