University of Cambridge researchers have discovered the “Trojan Source” bug which allows the encoding of potentially harmful source codes without being detected.
According to the researchers, Trojan Source “exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers.”
The research further explained that the Trojan Source exploit overrides Unicode’s bi-directional or “Bidi” algorithm which determines display text order.
“So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty. That’s bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code,” said Ross Anderson, one of the researchers.
Anderson also warned that the malicious code may be virtually undetectable to human review.
Anderson and the other researchers however have also made recommendations on protection against the bug and advised organizations to issue patches.
© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.