Wednesday, February 24, 2010

Exploitable Third Party Software

The company that is the target of 80% of the Internet desktop exploits uses a third party software downloader to distribute it’s product.

The downloader turns  out to be exploitable.

In this case, I have no sympathy for Adobe. Based on their track record, it’s safe to assume that if they’d have written the downloader instead of buying it, it’d be exploitable anyway.

But for the rest of us? What do we do when our dev team wants to integrate third party software into our home-made applications?  How do we know that widget-kit6 is not going to be the exploit path that leads us to our RGE? Let’s pretend that we’re writing the worlds best code and that we’ve got a sound design. What about that pie-chart wizard thing that we downloaded from the net and included in our build?

I don’t want to think about it right now. I need to check all my online bank accounts & make sure they haven’t been hijacked in the hour since I checked them last.

No comments:

Post a Comment