New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,055
A novel class of vulnerabilities could be leveraged by threat actors to inject visually deceptive malware in a way that's semantically permissible but alters the logic defined by the source code, effectively opening the door to more first-party and supply chain risks.

Dubbed "Trojan Source attacks," the technique "exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers," Cambridge University researchers Nicholas Boucher and Ross Anderson said in a newly published paper.

The vulnerabilities — tracked as CVE-2021-42574 and CVE-2021-42694 — affect compilers of all popular programming languages such as C, C++, C#, JavaScript, Java, Rust, Go, and Python. Compilers are programs that translate high-level human-readable source code into their lower-level representations such as assembly language, object code, or machine code that can then be executed by the operating system.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top