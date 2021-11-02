Photo : Matic zorman ( Getty Images )

A new study shows that almost all computer code in the world is vulnerable to one type of exploit which could (at worst) result in large-scale supply chain attacks.

Failure in question was discovered by researchers at the University of Cambridge in England, who have started calling it “Trojan Source“ . East “Trojan” affects what are known as code compilers – Key pieces of software that help human-written source code run on machines .

When software is deployed , programmers write in human-readable language, the call code of “high level”. This includes languages like Java, C ++, Python, etc. However, for the instructions in the script to actually be executed by a computer, the code must be translated into a human-readable format machine consisting purely in binary bits, the so-called “machine code“ . This is where compilers come in. They act as intermediaries between humans and machines, translating a language to another.

Unfortunately, as the new study, can also be attacked quite easily. According to the researchers’ findings, almost all compilers have a bug which, when properly exploited, lets kidnap them invisibly for malicious purposes. With the exploit, malicious actor it could, hypothetically, feed machines with different code than was originally intended, effectively overriding the instructions of a program.

As such, “ Trojan Source ”Could hypothetically be used to instigate large-scale supply chain attacks. Such attacks, such as the recent Bell against SolarWinds , they involve the silent implementation of malicious programming in software products as a vector to compromise the systems and networks of specific targets. In theory, hackers could use this exploit to code vulnerabilities in entire software ecosystems, allowing them to use them for an attack more directed . As such, the vulnerability poses “an immediate threat,” the researchers write, and could threaten to “compromise the supply chain throughout the industry.”

The document suggests implementing several new protections specifically targeting to defend compilers like means to avoid that big new problem. Cybersecurity reporter Brian Krebs has reported from that, as a result of the study , some organizations have already promised to issue patches related to “Trojan”. However, others are reportedly “dragging their feet.”

“The fact that the Trojan Source vulnerability affects almost all computer languages ​​makes it a unique opportunity for an environmentally sound and system-wide cross-platform and vendor-based comparison of responses,” the document states. “Since powerful attacks can be easily launched against using these techniques, it is essential that organizations involved in a software supply chain implement defenses. “