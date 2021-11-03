The ‘exploit’, dubbed by the discoverers Trojan Source, is especially dangerous for open projects since it persists through the use of copy and paste and is invisible to the human eye.

A team of scientists from the University of Cambridge discovered a vulnerability that threatens practically any ‘software’, as they warn in an article published this Sunday in which they show the results of their analysis. In parallel, they disclosed them in the Github repository.

Virtually all compilers (programs that ‘translate’ human-readable code into a computer-understandable format) are vulnerable to an attack in which specific vulnerabilities can be introduced into any software without being detected.

Weakness involves the digital text encoding standard Unicode and, more specifically, its Bidi algorithm, which handles the display of text with different writing orders, such as Arabic (read from right to left) and English or Spanish (in the reverse direction).

“In some scenarios, the predetermined order established by the Bidi algorithm may not be sufficient; for these cases, the override control characters“, indicate the scientists. They point out that these characters, which are invisible, can be inserted many times, allowing” to reorder the strings in an almost arbitrary way. “

“This gives an adversary a detailed control, so you can manipulate the display order of the text [convirtiéndolo] in an anagram of its logically coded order “, warn the analysts.

As a result, the manipulated code can look normal to humans and, at the same time, run unexpectedly by compilers. Also, it would not be detected when checking the syntax of programming in most languages.

“Our key idea is that we can reorder the characters in the source code so that the resulting display order also represents a syntactically valid source code“, indicate the experts.

“The first vulnerability that affects almost everything”

For now, vulnerability – named by the discoverers Trojan Source– has been confirmed in the programming associated with the languages C #, C ++, C, Go, Java, JavaScriipt, Python, and Rust.

Since Bidi override characters persist through copy and paste functions In most modern browsers, editors and operating systems, an uncontrolled proliferation of the ‘exploit’ is possible, Ross Anderson, one of the study’s authors, told the Krebs On Security portal.

“Any developer who copies code from an untrusted source into a protected code base can inadvertently introduce an invisible vulnerability,” the expert highlighted.

“Those are bad news for projects like Linux and Webkit that accept contributions from random people, submit them to manual review and then incorporate them into the critical code. This vulnerability is, as far as I know, the first one that affects almost everything, “Anderson said.