Trojan Source bug in most compilers could let adversaries launch powerful supply-chain attacks

Trojan Source affects almost all computer languages

Researchers from the University of Cambridge claim to have discovered a security vulnerability in most computer code compilers, which could enable malicious actors to introduce targeted bugs into any software without being detected.

Dubbed 'Trojan Source', the weakness affects a component of the digital text encoding standard Unicode, consistent encoding, representation and handling of text across different systems.

Specifically, the security flaw involves Unicode's bi-directional (bidi) algorithm which handles the displaying of text that has mixed scripts with different display orders, such as English (which is read left to right) and Arabic (right to left).

According to the researchers, the attackers can use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic.

The weakness "permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters," they say.

The researchers warn that malicious actors can leverage this deception to commit vulnerabilities into the code that will not be seen by human reviewers.

They notified 19 software suppliers about the security vulnerability, offering them a 99-day embargo period to allow their products to be repaired with security updates.

The researcher said nine software vendors have committed to releasing a security update for their product.

"We'll monitor their deployment over the next few days," Ross Anderson, a professor of computer security at Cambridge and co-author of the research, told Krebs On Security.

"We also expect action from Github, Gitlab and Atlassian, so their tools should detect attacks on code in languages that still lack bidi character filtering."

The researchers are also urging government and enterprises that rely on critical software to identify their suppliers' posture and ask them to implement adequate defences.

"The fact that the Trojan Source vulnerability affects almost all computer languages makes it a rare opportunity for a system-wide and ecologically valid cross-platform and cross-vendor comparison of responses," the research paper concludes.

"As powerful supply-chain attacks can be launched easily using these techniques, it is essential for organisations that participate in a software supply chain to implement defences."

In July, at least 200 businesses were affected by a ransomware attack, after cyber criminals hijacked widely used software from Florida-based IT firm Kaseya. The attackers compromised Kaseya's remote monitoring and management tool, VSA , enabling them to encrypt the hundreds of businesses' computer IT systems.

Kaseya was the latest in a series of high-profile ransomware attacks, including JBS - which acknowledged in June that it paid REvil $11 million for decryption keys - and Colonial Pipeline, which crippled fuel delivery in the southeastern USA for several days.