October 11th, 2007
Fortify calls Apache tools insecure
Fortify Software chief scientist Brian Chess and his team have published a white paper demonstrating how cross-build injection attacks could let criminals take control of programs as they are being written.
In particular the paper says three Apache projects — Ant, Maven, and Ivy (the latter is now in an Apache incubator) could make developers, and their employers, vulnerable.
All three projects are “external dependencies” which are loaded during a build process, Fortify wrote. A criminal could thus hijack the build and enable trojans or other programs future access.
While the vulnerability at this point is theoretical — the main fix so far is an update to security coding rulepacks — the alert highlights just how sophisticated criminal gangs are becoming in their efforts to hijack PCs for use by botnets, which are now the major security threat on the Internet. Once broken into smaller botnets to escape detection, they can be rented out to other criminals for as little as $1,000 per hour.
Botnets are not just being used for distributing spam or viruses anymore. They’re also being used to blackmail sites with threats of DNS attacks. Some alarmists even see them determining the next President as politicians use them for dirty tricks campaigns.
Given all that the idea of someone hijacking your little corporate build by getting between your development team and its tools is not that far-fetched. And it’s useful to know what is theoretically possible before you find out about vulnerabilities the hard way.
Dana Blankenhorn has been a business journalist for 30 years, a tech freelancer since 1983. You can follow Dana on Twitter. See his full profile and disclosure of his industry affiliations.
Subscribe to Linux and Open Source via Email alerts or RSS.
| 10/11/07
