Security firm warns of 'cross-build injection vulnerability'
vnunet.com, 10 Oct 2007
Enterprises using open source software to engineer custom applications could be vulnerable to a newly discovered class of hack attack, a security firm claimed today.
Fortify Software's Security Research Group reported that so-called 'cross-build injection attacks' could allow a hacker to insert code into the target program while it is being constructed.
The use of open source coding tools have opened the doors to "possible system-wide exploits", according to Fortify.
If an attacker compromises either the server that hosts a component, or the DNS server that the build machine uses to locate that server, he could use these vulnerabilities to take full control of the build machine and possibly other machines on the remote network.
Fortify discovered that, during the application build process, systems that automatically download external dependencies, including the popular Ant, Maven and Ivy tools, are particularly vulnerable.
The research found that hackers could compromise the basic source for the project by subverting the build process, and replacing it with a version that includes malicious components such as Trojans and other malware.
"While external dependencies and open source components do not necessarily represent an unacceptable security risk, Fortify's researchers demonstrated that they deserve proper vetting to ensure that they do not compromise the security of applications that make use of them," the security company stated.
Brian Chess, Fortify's founder and chief scientist, added: "This new class of vulnerabilities highlights the increasing attention hackers are paying to software development as a means of entry into enterprise systems.
"Instead of exploiting vulnerabilities in applications that are already deployed, attackers can subvert the development process by inserting holes before the software is complete.
"This has happened in the past and the newest build tools are causing enterprises to be much more vulnerable to this type of attack today."
Fortify has published a white paper on the issue entitled Attacking the Build through Cross-Build Injection (PDF).
Hacking attempts estimated to have almost doubled in the past year
Blonde with pigtails infects the curious with a Trojan
Remote access - Three steps to getting connected
3.4 million UK professionals now work from home – is your company equipped?
Cost benefits of a global collaboration network
This white paper is a must read for organisations looking for evidence of the bottom-line benefits of high-definition video and voice communications
Keep up to date with the latest products, services and technologies from the world's leading IT companies; IThound.com brings you over 6,000 white papers, case studies and analyst reports.
Join our live chat session on Thursday at 11am to...
Researchers from security firm FireEye have been able to effectively...
Do you agree?
Have your say on this article