Discovered by researchers at the University of Cambridge, the bug affects all source code that contains bidirectional override (Bidi) Unicode codepoints, which in some cases could enable malicious users to introduce differences between reviewed code and compiled code.
“By injecting Unicode Bidi override characters into comments and strings, an adversary can produce syntactically-valid source code in most modern languages for which the display order of characters presents logic that diverges from the real logic. In effect, we anagram program A into program B,” note the researchers in their research paper.
Put simply, the vulnerability, referred to by the researchers as Trojan Source, and tracked as CVE-2021-42574, exploits subtleties in text-encoding standards such as Unicode to introduce a change in logic, which essentially enables adversaries to introduce targeted vulnerabilities.
Software supply chain threat
The researchers argue that attacks based on this vulnerability pose a great challenge to securing software supply chains.
“If an adversary successfully commits targeted vulnerabilities into open source code by deceiving human reviewers, downstream software will likely inherit the vulnerability,” note the researchers.
Given its far-reaching implications, the vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness.
Want to code? Check out our roundup of the best laptops for programming