Fortify Software's Security Research Group reported that so-called 'cross-build injection attacks' could allow a hacker to insert code into the target program while it is being constructed.
The use of open source coding tools have opened the doors to "possible system-wide exploits", according to Fortify.
If an attacker compromises either the server that hosts a component, or the DNS server that the build machine uses to locate that server, he could use these vulnerabilities to take full control of the build machine and possibly other machines on the remote network.
Fortify discovered that, during the application build process, systems that automatically download external dependencies, including the popular Ant, Maven and Ivy tools, are particularly vulnerable.
The research found that hackers could compromise the basic source for the project by subverting the build process, and replacing it with a version that includes malicious components such as Trojans and other malware.
"While external dependencies and open source components do not necessarily represent an unacceptable security risk, Fortify's researchers demonstrated that they deserve proper vetting to ensure that they do not compromise the security of applications that make use of them," the security company stated.
Brian Chess, Fortify's founder and chief scientist, added: "This new class of vulnerabilities highlights the increasing attention hackers are paying to software development as a means of entry into enterprise systems.
"Instead of exploiting vulnerabilities in applications that are already deployed, attackers can subvert the development process by inserting holes before the software is complete.
"This has happened in the past and the newest build tools are causing enterprises to be much more vulnerable to this type of attack today."
Fortify has published a white paper on the issue entitled Attacking the Build through Cross-Build Injection (PDF).
Hackers eye open source coding tools
By Robert Jaques on Oct 11, 2007 2:44PM
Enterprises using open source software to engineer custom applications could be vulnerable to a newly discovered class of hack attack, a security firm claimed today.
Got a news tip for our journalists? Share it with us anonymously here.