"This Sneaky Trick Could Allow Attackers To Hide ‘Invisible’ Vulnerabilities in Code"
Developers using the Rust programming language in a project are advised to check for differences between reviewed code and the compiled code that has been output. The Rust Security Response Working Group (WG) has brought attention to a security vulnerability, tracked as CVE-2021-42574, which is described as an Unicode bidirectional override issue that not only affects Rust, but also other top programming languages such as Java, JavaScript, Python, C-based languages, and more. Open-source projects often rely on humans to review new code in order to detect any potentially malicious contributions by volunteers. However, security researchers at Cambridge University discovered how the encoding of source code files could be manipulated so that human reviewers and compilers see different logic. One method uses Unicode directionality override to display code as an anagram of its true logic. The attack was proven to work against C, C++, C#, JavaScript, Java, Rust, Go, Python, and other modern languages. The researchers warn that the exploitation of the bug through this attack poses a significant threat to software supply chains. This article continues to discuss the Unicode security flaw affecting Rust, Java, Python, and other programming languages.
ZDNet reports "This Sneaky Trick Could Allow Attackers To Hide ‘Invisible’ Vulnerabilities in Code"