Posted by 
Category: ![Chinese Army training with computers [Fair Use]](https://www.exportlawblog.com/images/Chinese Hackers.jpg "Chinese Army training with computers [Fair Use]")
Back in December, IBM issued a security alert relating to the IBM Forms Viewer 8.0.1 which must be used as part of filing licenses through DTrade. The alert says this:
A XFDL form can be created in such a way that could cause a stack buffer overflow to occur in the IBM Forms Viewer that could allow remote code execution to occur if the form is loaded.
That, of course, is geekspeak meaning that running DTrade on your network can allow a hacker to take over your system remotely and download whatever strikes his or her fancy, including ITAR-controlled technical data.
There is a fix. The security bulletin says to download IBM Forms Viewer 8.0.1.1. Sadly you can’t download that version without a Support Agreement with IBM. I know. I tried. And the only version available on DDTC’s site, even though the vulnerability is almost two months old, is version 8.0.1.
Query: since using DTrade exposes your system to data theft by foreign nationals, does everyone using DTrade have to file a voluntary disclosure with DDTC admitting that their ITAR-controlled technical data is, by virtue of the DTrade vulnerability, accessible to foreign nationals?
Seriously, DDTC needs to either make the new version available immediately or enable users to uninstall DTrade and use an alternate method for filing license applications. (Oh, and remember that DDTC selected the IBM XFDL format over PDF because it was, allegedly, more secure.)
Permalink
Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)
