"Trojan Source" Bug Threatens the Security of All Code
progo writes:
Brian Krebs reports today on the biggest global information security freak-out since Heartbleed (2014). Or not -- I'm not sure.
Virtually all compilers -- programs that transform human-readable source code into computer-executable machine code -- are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns. The vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness.
TL/DR: Because of Unicode string processing in all editors and compilers, and specifically how RTL [Right-to-Left][*] and LTR [Left-to-Right][*] control codes are supposed to affect the ordering of all characters regardless of whether or not they belong to an LTR language... Any source code processed by a Unicode-aware compiler is subject to hidden meaning where what's rendered in your editor or terminal is not what is actually read by the compiler. Re-ordering the display of characters in a block of code can change the meaning of comparison statements, string or number constants, and comments.
Krebs cites a paper (PDF) from researchers at the University of Cambridge, which contains some nifty code examples including changing "User is not in Admin group" to render as logic for "User is in Admin group" in every source control tool or editor you might use. This sort of supply chain attack can be inserted by anyone with commit access to the code you use from upstream sources -- disgruntled employees, open source contributors; virtually all software you use now could be a target.
Is this the end of the world, or just another Monday?
This post was written in pure ASCII, just to be safe.
[*] https://en.wikipedia.org/wiki/Right-to-left_mark.
Read more of this story at SoylentNews.