Given the rash of Maya security vulnerabilities it makes sense to pool our resources and come up with some kind of open source tool for scanning and quarantining potentially infected Maya files.
Some key items to consider:
- a scanner for scriptnodes (the link above includes a skeletal version but this would need to be bulletproofed)
- a method of securely identifying scriptnodes with a legitimate in-house purpose
- a method for scanning expression nodes (note: expression nodes are a real attack vector – I won’t post example code but they definitely can be used to run arbitrary code, can explain if necessary).
- a “pen testing” group that tries to find ways around whateve gets cooked up to make sure that the security guarantees are fairly solid.
This kind of stuff is hard and we have to be realistic about what is doable, but any shared response to this crap is a step forward. And we should encourage other communities (Blender, Max) to follow suit!
Volunteers? Good chance to get a useful OS project on your resume and/or github!