Identifying if AutoIt has Known Vulnerabilities.

[May]

Hello there, our team is thinking of using AutoIT to automate some tasks and typically we conduct a search of known vulnerabilities before we integrate new tools. I wasn't able to find much on AutoIT, except CVE-2017-6714, which was assigned to Cisco for remediation.

Does AutoIT release a list of identified and remediated vulnerabilities? 

Also, does anyone have suggestions on how to reduce and control the security risks posed with using AutoIT in user workstations and servers? 

Would appreciate your feedback.

[spudw2k]

The AutoIT service referred to in the CVE is a different thing.  As far as identified vuls and remediations go, I'm not sure you'll find anything beyond the change log.

What I can say, from my experience, is that there doesn't appear to be anything inherently insecure about AutoIt or the AutoIt interpreter in itself, as it does not load any persistent running elevated software (e.g. services, etc.).  It is my position that it should be treated as any other scripting/interpreted language (e.g. PowerShell, VBS, Python, etc.) and it is up to the usage, operation, and scripter whether or not security concerns are introduced/addressed.