Hackers eye open source coding tools

Security firm warns of 'cross-build injection vulnerability'

Written by Robert Jaques

vnunet.com, 10 Oct 2007

Enterprises using open source software to engineer custom applications could be vulnerable to a newly discovered class of hack attack, a security firm claimed today.

Fortify Software's Security Research Group reported that so-called 'cross-build injection attacks' could allow a hacker to insert code into the target program while it is being constructed.

The use of open source coding tools have opened the doors to "possible system-wide exploits", according to Fortify.

If an attacker compromises either the server that hosts a component, or the DNS server that the build machine uses to locate that server, he could use these vulnerabilities to take full control of the build machine and possibly other machines on the remote network.

Fortify discovered that, during the application build process, systems that automatically download external dependencies, including the popular Ant, Maven and Ivy tools, are particularly vulnerable.

The research found that hackers could compromise the basic source for the project by subverting the build process, and replacing it with a version that includes malicious components such as Trojans and other malware.

"While external dependencies and open source components do not necessarily represent an unacceptable security risk, Fortify's researchers demonstrated that they deserve proper vetting to ensure that they do not compromise the security of applications that make use of them," the security company stated.

Brian Chess, Fortify's founder and chief scientist, added: "This new class of vulnerabilities highlights the increasing attention hackers are paying to software development as a means of entry into enterprise systems.

"Instead of exploiting vulnerabilities in applications that are already deployed, attackers can subvert the development process by inserting holes before the software is complete.

"This has happened in the past and the newest build tools are causing enterprises to be much more vulnerable to this type of attack today."

Fortify has published a white paper on the issue entitled Attacking the Build through Cross-Build Injection (PDF).

Tags:

reader comments

related articles

Check Point puts ForceField around browsers

ZoneAlarm plays in the sandbox 10 Oct 2007

 

Spammers zoom in on YouTube servers

'Invite Your Friends' feature exploited to send junk mail 09 Oct 2007

Hackers step up attacks on US utilities

Hacking attempts estimated to have almost doubled in the past year 08 Oct 2007

Hacker spam poses as old school friend

Blonde with pigtails infects the curious with a Trojan 05 Oct 2007

Brits 'too lazy' to prevent ID theft

Survey uncovers widespread apathy 04 Oct 2007

Security expert slams PCI auditing

PCI compliance does not guarantee security 04 Apr 2008

Hackers step up website attacks

Security forecast for 2008 makes grim reading 20 Feb 2008

Security

DNS exploit haunts researcher

Local ISP attack affects BreakingPoint 31 Jul 2008

related whitepapers

today's top stories

Management

Computing launches all-new IT jobs site

Updated Computingcareers.co.uk provides enhanced feature for jobseekers 14 Oct 2008

Internet

Q&A: BT Business head of SaaS, Chris Lindsay

BT's head of software-as-a-service explains the benefits of the on-demand delivery model and how the current economic downturn could force firms to re-evaluate how they buy software 14 Oct 2008

Communications

WiMax: Threat or opportunity?

We examine the merits of WiMax and its benefits relative to other wireless technologies in our latest video 13 Oct 2008

The Big Picture

Learning from the credit crunch to avoid a broadband crunch

While it might be the most pressing issue de jour , the financial system isn’t the only area where government needs to... 10 Oct 2008

Management

How careerism can warp IT procurement

Many working in IT put their career interests before those of their employer when weighing up purchasing options 10 Oct 2008

> More news

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Jobs

Related jobs

Job of the week

> More IT vacancies

Job alerts

  • Latest jobs to your inbox
Sign up here

Find your next job


IT Salary Checker

  • Are you being paid what you are worth?
Check salary here

Advertisement

White papers

Search white papers

Top categories

VPN, Extranet and Intranet Solutions

WAN/ LAN Solutions

Network Security

Interoperability-Connectivity

Grid/ Utility Computing

Latest poll

Are you worried about your job prospects in IT over the next 12 months?

Are you worried about your job prospects in IT over the next 12 months?

Will the economic crisis affect your job prospects?

Previous poll results

> More polls

Latest audio and video articles

Remote workerVideo

WiMax: Threat or opportunity?

We examine the merits of WiMax and its benefits relative to other wireless technologies in our latest video 13 Oct 2008

programming codeVideo

The definitive guide to software development

Five key trends and five best practice tips to help you improve your programming capabilities 09 Oct 2008

> More audio and video

Latest in-depth articles

BT TowerAnalysis

Q&A: BT Business head of SaaS, Chris Lindsay

BT's head of software-as-a-service explains the benefits of the on-demand delivery model and how the current economic downturn could force firms to re-evaluate how they buy software 14 Oct 2008

Financial Services Authority buildingAnalysis

FSA threatens executives with fines

Senior management to be held accountable for security lapses at banks 09 Oct 2008

> More in depth articles

Advertisement

Primary Navigation