Polish firm Security Explorations has had enough of broken patches for security vulnerabilities it has reported to vendors.
On Monday, the company’s CEO Adam Gowdiak has published on the Full Disclosure mailing list the technical details and PoC code for exploiting a security issue in IBM Java that has been poorly patched by the vendor. The flaw was discovered by Security Explorations researchers in early 2013.
“This is the 6th instance of a broken patch we encountered from IBM. Previously, the company failed to address 4 other issues (with one of them improperly patched for two times in a row),” he noted.
In this particular case, the actual root cause of the issue hasn’t been addressed at all, he claims. “There were no security checks introduced anywhere in the code. The patch relied solely on the idea that hiding the vulnerable method deep in the code and behind a Proxy class would be sufficient to address the issue.”
Exploitation of the flaw could lead to a Java security sandbox escape.
IBM confirmed that they know about the problem and are working on fixing it.
A month ago, the company updated its Disclosure Policy, and in it they stated that improperly fixed issues will be “publicly disclosed without any prior notice.”
“In the past, some software vendors tried to use legal threats to discourage security researchers from the publication of the results of their research,” they pointed out, and added that any legal threats coming from vendors will be announced in the legal threats section of the company’s website. At the time of writing, the section is empty.