Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
Security exploits in third party libraries
Message
De
31/03/2020 05:22:26
Al Doman
M3 Enterprises Inc.
North Vancouver, Colombie Britannique, Canada
 
 
À
31/03/2020 02:43:55
Christian Isberner
Hannover, Allemagne
Information générale
Forum:
Visual FoxPro
Catégorie:
Produits tierce partie
Titre:
Re: Security exploits in third party libraries
Divers
Thread ID:
01673898
Message ID:
01673902
Vues:
63
This message has been marked as a message which has helped to the initial question of the thread.
>I was wondering what it means to have a security exploit in a library that is used by our application.
>
>For instance we are using 7-zip for compression in our application (for instance to create backup files), which we install through our setup program in a folder together with our application. We don't actually install 7-zip application, but just copy the libraries that are then used by our application.
>
>As an example, there were security updates for 7-zip in the past because of vulnerabilities (https://www.groovypost.com/news/serious-security-exploits-found-in-7-zip-update-available/)
>
>What would that mean for our application, if we won't update the 7-zip libraries on time, how would an attacker be able to take advantage of those libraries to exist in our application folder? I am not sure if the fact that these libraries are only used from our application don't pose a security risk, because they are actually not used directly by the user, or does the simple fact of their existance already give an attacker the possibility to exploit those vulnerabilities? Yes, however small.

Almost all software has bugs. Some may turn out to be security vulnerabilities; Torvalds claims the latter are usually the former: https://it.slashdot.org/story/17/11/20/1412241/security-problems-are-primarily-just-bugs-linus-torvalds-says

If you're interested in a particular CVE you could research what's known about it and reach your own conclusions. However, security researchers and hackers of all shades are endlessly imaginative; black hat hackers may keep some knowledge/exploits secret.

In a perfect world everyone would keep their 3rd party libraries continuously up-to-date (a la Windows Update or similar). If there's a formal process in place for that, then they can use adherence to best practices as a defense in case of litigation. If they don't, and an audit of a compromised server finds vulnerable software, well, let's just say lawyers can be endlessly imaginative as well.

Another approach is to purchase appropriate insurance, so the risks associated with problems like this are borne by someone else.
Regards. Al

"Violence is the last refuge of the incompetent." -- Isaac Asimov
"Never let your sense of morals prevent you from doing what is right." -- Isaac Asimov

Neither a despot, nor a doormat, be

Every app wants to be a database app when it grows up
Précédent
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform