Jan

24

DTrade Vulnerability Could Allow Foreign Spies to Hack Your Network


Posted by at 2:25 pm on January 24, 2014
Category: DDTC

Chinese Army training with computers [Fair Use]Back in December, IBM issued a security alert relating to the IBM Forms Viewer 8.0.1 which must be used as part of filing licenses through DTrade. The alert says this:

A XFDL form can be created in such a way that could cause a stack buffer overflow to occur in the IBM Forms Viewer that could allow remote code execution to occur if the form is loaded.

That, of course, is geekspeak meaning that running DTrade on your network can allow a hacker to take over your system remotely and download whatever strikes his or her fancy, including ITAR-controlled technical data.

There is a fix. The security bulletin says to download IBM Forms Viewer 8.0.1.1. Sadly you can’t download that version without a Support Agreement with IBM. I know. I tried. And the only version available on DDTC’s site, even though the vulnerability is almost two months old, is version 8.0.1.

Query: since using DTrade exposes your system to data theft by foreign nationals, does everyone using DTrade have to file a voluntary disclosure with DDTC admitting that their ITAR-controlled technical data is, by virtue of the DTrade vulnerability, accessible to foreign nationals?

Seriously, DDTC needs to either make the new version available immediately or enable users to uninstall DTrade and use an alternate method for filing license applications. (Oh, and remember that DDTC selected the IBM XFDL format over PDF because it was, allegedly, more secure.)

Permalink

Bookmark and Share

Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


2 Comments:


Sounds a bit like Franz Kafka.

Comment by Martin on January 27th, 2014 @ 2:07 am

Clif,

Just wanted to make a slight correction and clarification. The statement “running DTrade on your network can allow a hacker to take over your system remotely” isn’t correct. The Forms Viewer doesn’t sit idle as a service on the network and wait for incoming connections or anything of the sort. What’s happening here is there’s a vulnerability in the Forms Viewer software which could allow a hacker to run malicious code on your computer ONLY IF they convinced you to load a specially-crafted malicious XFDL document which exploits this vulnerability.

Now, of course, anyone who goes around downloading and viewing any old XFDL document is asking for trouble anyway. Regardless, DDTC should definitely host and provide a link to download to the latest Forms Viewer. Fortunately, I have found that the NRC provides a working download link to Forms Viewer 8.0.1.1 (without the aforementioned security vulnerability). You and your readers can find it here: http://www.nrc.gov/admin/plugins/e-business/workplace-forms-viewer/FormsViewer_8011_Win32_EN.exe

Comment by John Anderson on January 27th, 2014 @ 10:43 am