|
Posted by Flash Gordon on December 20, 2005, 4:44 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Ludovic Joly wrote:
> Friends,
>
> With the ever growing success of the open source software, it is
> becoming very natural to import source code projects from various
> sources and build them locally, especially in R&D or other high-tech
> departments, and also in security concerned structures.
>
> It occurred to me that an attack could be performed based on a Visual
> Studio project. Pre and post build settings of a project could allow an
> attacker to automatically run an executable file before or after a
> build.
Anyone in a position to set up such an attack can is far more likely to
simply put something in the source.
> As a conclusion: one can only recommend the project is carefully
> inspected before Build. Especially if the project comes from an
> untrusted source.
Well, you should never trust anything from an untrusted source!
Seriously, if the source is one that might do an attack such as you are
suggesting you would have to do a thorough audit of the entire thing
anyway before making any use of it.
--
Flash Gordon
Living in interesting times.
Although my email address says spam, it is real and I read it.
| 
XML site map