This Unicode bug threatens the security of all source code

Major programming languages have put out updates to nullify the bug

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Academiccybersecurityresearchers have flagged a strange vulnerability that affects most computer code compilers, and manysoftware development environments.

Discovered by researchers at the University of Cambridge, the bug affects all source code that containsbidirectional override (Bidi)Unicode codepoints, which in some cases could enable malicious users to introduce differences between reviewed code and compiled code.

“By injecting Unicode Bidi override characters into comments and strings, an adversary can produce syntactically-valid source code in mostmodern languagesfor which the display order of characters presents logic that diverges from the real logic. In effect, we anagram program A into program B,” note the researchers in theirresearch paper.

Put simply, the vulnerability, referred to by the researchers asTrojan Source, and tracked as CVE-2021-42574, exploits subtleties in text-encoding standards such as Unicode to introduce a change in logic, which essentially enables adversaries to introduce targeted vulnerabilities.

Software supply chain threat

The researchers argue that attacks based on this vulnerability pose a great challenge tosecuring software supply chains.

“If an adversary successfully commits targeted vulnerabilities intoopen sourcecode by deceiving human reviewers, downstream software will likely inherit the vulnerability,” note the researchers.

The researchers have even provided a working example of an attack that exploits this bug in their paper,sayingthat they’ve verified that attacks based on this vulnerability works with code written in virtually every modern programming language, including C, C++, C#,JavaScript, Java, Rust, Go, andPython.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Given its far-reaching implications, the vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness.

Want to code? Check out our roundup of thebest laptops for programming

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well