All the latest UK technology news, reviews and analysis
|
|
|
10 Oct 2007
Enterprises using open source software to engineer custom applications could be vulnerable to a newly discovered class of hack attack, a security firm claimed today.
Fortify Software's Security Research Group reported that so-called 'cross-build injection attacks' could allow a hacker to insert code into the target program while it is being constructed.
The use of open source coding tools have opened the doors to "possible system-wide exploits", according to Fortify.
If an attacker compromises either the server that hosts a component, or the DNS server that the build machine uses to locate that server, he could use these vulnerabilities to take full control of the build machine and possibly other machines on the remote network.
Fortify discovered that, during the application build process, systems that automatically download external dependencies, including the popular Ant, Maven and Ivy tools, are particularly vulnerable.
The research found that hackers could compromise the basic source for the project by subverting the build process, and replacing it with a version that includes malicious components such as Trojans and other malware.
"While external dependencies and open source components do not necessarily represent an unacceptable security risk, Fortify's researchers demonstrated that they deserve proper vetting to ensure that they do not compromise the security of applications that make use of them," the security company stated.
Brian Chess, Fortify's founder and chief scientist, added: "This new class of vulnerabilities highlights the increasing attention hackers are paying to software development as a means of entry into enterprise systems.
"Instead of exploiting vulnerabilities in applications that are already deployed, attackers can subvert the development process by inserting holes before the software is complete.
"This has happened in the past and the newest build tools are causing enterprises to be much more vulnerable to this type of attack today."
Fortify has published a white paper on the issue entitled Attacking the Build through Cross-Build Injection (PDF).
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Hands on with the highly anticipated Android 4.0 Ice Cream Sandwich hybrid tablet
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Low Latency Network Engineer, Senior Network Engineer...
SQL DBA - (North London) North London , £45k - 50k...
Business Architect – (North London) £65,000 – 75,000k...
Graduate Software Engineer - Javascript OR Android...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
new? since when?
if u call this kind of attacks new, u must been sleepin for long time. there have been several tries to hack debian servers, which provide apt with packets.
Posted by: woobi doobi doob 22 Nov 2007