« MBS Xojo / Real Studi… | Home | Three weeks till year… »

Security Hole in every Xojo / RealStudio app

There is a big issue in the Xojo and Real Studio runtime. It will load at startup any dylib in the frameworks folder.

Below you can download a empty dylib. This is a plugin library for Xojo/Real Studio for Mac which does nothing but writing a message to Console.app. You can drop it in any Xojo or Real Studio made app (Carbon or Cocoa doesn't matter). When you launch your app the library is loaded and executed.

This makes trouble for us as some users have installers which don't remove the old dylibs. So the new version loads the old plugin dylibs and complains about bad registration or missing entry points.

Not to forget this is an easy way to add a key logger or other malware into each app!

See also feedback cases 31153 and 2089.
Test project and library: test.zip
09 12 13 - 10:54