Researchers release PoC exploit code to bypass broken IBM security patch

Broken patches for security issues are simply not enough. [updated]

[Update 14.53BST: IBM statement]

Security researchers have taken to the stage to emphasize that poor quality security patches released by vendors are not enough -- through the release of exploit code which bypasses a dodgy IBM security fix.

On Monday, Polish firm Security Explorations CEO Adam Gowdiak revealed on Full Disclosure a full proof of concept (PoC) example and code for a broken security patch issued by IBM in July 2013.

Dubbed "SE-2012-01-IBM-4," otherwise known as IBM security issue 67 (.PDF), the vulnerability lies within improperly used protocols and code surrounding Java.

An attacker can use the weakness to prompt a complete Java security sandbox escape.

The patch did not address the issue properly, despite IBM being told about the problem almost three years ago, according to the researchers.

"This is the 6th instance of a broken patch we encountered from IBM," Gowdiak noted. "Previously, the company failed to address 4 other issues (with one of them improperly patched for two times in a row)."

The security researcher says that the root cause of the vulnerability "hasn't been addressed at all," and instead, IBM's software developers did little more than bury the problem deep in code. Rather than introducing security checks, the patch only hid the issue behind a proxy class.

"Breaking IBM patch for Issue 67 requires only several minor changes to our original Proof of Concept code published in Jul 2013," Gowdiak commented.

Despite IBM's own alleged security issues, this did not stop Big Blue from purchasing Resilient Systems in February this year. The acquisition was aimed at enhancing security operations and offering automated response playbooks to cyberattacks experienced by clients.

IBM told ZDNet:

"IBM is aware of the vulnerability and is working to address the issue."

Read on: Top picks