Virtually All Code Is Vulnerable to Insidious Attack Due to Trojan Source Vulnerability, Researchers
Ransomware attack disrupts healthcare in Newfoundland and Labrador, Pink botnet has infected 1.6 million devices, FBI warns of HelloKitty ransomware gang, NSO Group branches out, more
Researchers at the University of Cambridge discovered a bug called Trojan Source that affects most computer code compilers and many software development environments involving the digital text encoding standard Unicode. Unicode allows computers to exchange information regardless of the language used.
The bug involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic, which is read right to left, and English, which is read left to right.
But sometimes default Bidi ordering requires an override and most programming languages allow coders to put the overrides in comments or strings. These comments can appear innocuous to humans but can contain malicious instructions leading to a novel supply chain attack. The researchers conducted a widespread vulnerability scan but could not find evidence that anyone was exploiting this flaw yet. (Brian Krebs / Krebs on Security)
Related: The Hacker News, …
Keep reading with a 7-day free trial
Subscribe to Metacurity to keep reading this post and get 7 days of free access to the full post archives.