Academic cybersecurity (opens in new tab) researchers have flagged a strange vulnerability that affects most computer code compilers, and many software development environments (opens in new tab).
Discovered by researchers at the University of Cambridge, the bug affects all source code that contains bidirectional override (Bidi) Unicode codepoints, which in some cases could enable malicious users to introduce differences between reviewed code and compiled code.
“By injecting Unicode Bidi override characters into comments and strings, an adversary can produce syntactically-valid source code in most modern languages (opens in new tab) for which the display order of characters presents logic that diverges from the real logic. In effect, we anagram program A into program B,” note the researchers in their research paper (opens in new tab).
Put simply, the vulnerability, referred to by the researchers as Trojan Source (opens in new tab), and tracked as CVE-2021-42574, exploits subtleties in text-encoding standards such as Unicode to introduce a change in logic, which essentially enables adversaries to introduce targeted vulnerabilities.
Software supply chain threat
The researchers argue that attacks based on this vulnerability pose a great challenge to securing software supply chains (opens in new tab).
“If an adversary successfully commits targeted vulnerabilities into open source (opens in new tab) code by deceiving human reviewers, downstream software will likely inherit the vulnerability,” note the researchers.
The researchers have even provided a working example of an attack that exploits this bug in their paper, saying (opens in new tab) that they’ve verified that attacks based on this vulnerability works with code written in virtually every modern programming language, including C, C++, C#, JavaScript (opens in new tab), Java, Rust, Go, and Python (opens in new tab).
Given its far-reaching implications, the vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness.
Want to code? Check out our roundup of the best laptops for programming (opens in new tab)