Open-source Software Flaws could Compromise Applications
Hackers using cross-build injection attacks could exploit vulnerabilities in open-source application to inject malware into software in its different stages of development, researchers at Fortify have warned.
This act could further allow an attacker to take control of the domain name system or the component-hosting server thus enabling the malicious user to remotely compromise the target machine and other PCs on the network, said experts at the security company.
By using open-source coding tools, it is possible to exploit systems widely, said Fortify.
Several incidents have been noticed in the past that involved components dependant on open source but in a compromised state. These compromises were found to be similar in many ways: they took place in projects using open source; they occurred when an attacker corrupted the canonical source database related to the project and inserted malware; and they caused harm to users who typically installed the elements through the target system having automated capabilities.
An attacker who hacks either into the server hosting an element or the DNS server of the target machine could exploit these bugs to take over the target computer and may be other PCs on the network structure.
Fortify found that at the time of developing a software, systems that downloaded external dependencies by default, such as the preferred Maven, Ivy and Ant tools, are at risk.
The research revealed that the project's main source was vulnerable to hackers who could corrupt the developing application and in its place install an alternative version containing malware like trojans or other malicious code.
Fortify's Chief Scientist and Founder Brian Chess added that the new group of vulnerabilities indicate how hackers are increasingly focusing on software development to use it as means to invade enterprise systems. Vnunet reported this on October 10, 2007.
The security software company has added the necessary changes to its rules for secure coding so that customers can deal with the flaws. It has also published a white paper about the details of the attacks, according to Manager of Security Research Group at Fortify, Jacob West. PRNewswire reported this on October 9, 2007.
Related article: Open SSL Flaw Invites Forgery
» SPAMfighter News - 26-10-2007