Click here to receive your FREE subscription to Campus Technology
News
Security Researchers Uncover Spring Framework Vulnerability
9/4/2008
Software frameworks are enjoying enormous popularity these days among a range of developers. It's popularity well earned; frameworks provide powerful tools for building more flexible and less error-prone applications. They generally enhance developer productivity with out-of-the-box functionality. And they can free developers to focus on features instead of common coding tasks.
The downside of frameworks is their lack of transparency. There's very little visibility into the internal behavior of frameworks, and consequently, their security implications, said Ryan Berg, chief scientist and co-founder of software risk analysis firm Ounce Labs.
A case in point: The Ounce Labs Advanced Research Team (ART) has documented two vulnerabilities that could affect Java Web apps utilizing the Spring Framework. Called "ModelView Injection" and "Data Submission to Non-Editable Fields," these vulnerabilities have the potential to allow attackers to subvert the expected application logic and gain control of an app., according to the ART documentation. That control could provide access to any data, credentials or keys held in the application.
What is most troubling about these vulnerabilities, according to Berg, is that they are not part of some correctable flaw within the framework, but a design issue. "[It's] a design issue that does not take security into account," Berg said. "Any organization utilizing this framework should fully understand the security implications of these design flaws and model their business processes and generate abuse cases to be sure that they are not being exploited."
With more than 5 million downloads to date, Spring ranks among the leading application framework and integration platforms, so these security vulnerabilities could affect thousands of enterprises. And in the J2EE world, Berg pointed out, it's common practice for enterprise applications to use multiple frameworks to implement key components of their Web applications.
These vulnerabilities underscore the often overlooked risks associated with software frameworks in general, said Dinis Cruz, director of Advanced Research for Ounce Labs. "The problem with frameworks is that they provide so many abstraction layers that the people who are using them don't understand fully what's going on within them," Cruz said.
Cruz is a consultant and trainer who specializes in penetration testing, ASP.NET app security, source-code security reviews, reverse engineering, and security curriculum development. He's well-known at conferences and trade shows for showing attendees how to bypass the built-in security mechanisms of the .NET and Java runtimes. He's also the chief security evangelist of the Open Web Application Security Project (OWASP), which is focused on finding and fighting the causes of insecure software. He leads the OWASP .NET Project, and is the main developer of several OWASP tools.
Recommended Reading
- Moodle Gets SCORM Improvements, Security Fixes
New versions of Moodle have been released, bringing the most recent stable build to 1.9.3. The latest round of updates includes a number of bug fixes and security enhancements, as well as improvements to the SCORM module.
- Free 'Morro' Antivirus To Replace Microsoft OneCare
Microsoft is rolling out a free antivirus software program for consumers that will compete with products made by Symantec and McAfee. Code-named "Morro," the AV app is expected to be available by the end of 2009.
- Microsoft Demos New SQL Server Features at PASS
Microsoft Wednesday previewed the ability to centrally manage applications and resources in the planned upgrade of SQL Server, code-named "Kilimanjaro."
- Microsoft Unveils Exchange and SharePoint as Services
Microsoft exec Stephen Elop on Monday announced two hosted solutions from Microsoft--Exchange Online and SharePoint Online--which are now available to organizations of all sizes in the United States. The software, paid for by annual subscriptions, is hosted on Microsoft's servers and supported by Microsoft's channel partners.
- 6 Ways Not To Become Rote Using Instructional Technology
There are, in my experience, six strategies to consider with any use of technology that will guard against rote use of technology and facilitate critical analysis of teaching and learning effectiveness. In this article, I'll share with you the checklist I work with and encourage others to work with in learning about and using new technology.
- Bringing Student Web "Stuff" to Campus Enterprise Systems
How can an institution incorporate Web 2.0 learning opportunities for students, and evidence of learning from those opportunities, into existing campus technologies and processes? PlugJam is providing part of the answer.
