The study titled “Trojan Source: Invisible Vulnerabilities” was recently published by security researchers from England. In the 15-page paper, the researchers detail how the Trojan Source affects coding compilers, which are software applications that compile and convert human-written codes into what is called “machine code”.
For those unaware, when a developer starts developing a software application, it usually starts with thousands of lines of codes written in high-level languages such as C++, Java, or Python. Although these are specialized languages, the code still needs to be converted into binary bits called machine code that the computer could understand. This is where compilers come into the picture as they are able to translate the human-written code lines into binary language that computer systems understand.
So, the recently discovered vulnerability affects most computer code compilers and several software development environments. It involves the digital text encoding standard Unicode that enables computer systems to exchange information, no matter the language. The bug specifically affects Unicode’s bi-directional or “Bidi” algorithm that handles the mixed scripts texts, as per cybersecurity reporter Brian Krebs.
As per the findings of the study, almost every code compiler has the said vulnerability. Hence, a hacker can use the loophole to gain access to code compilers and change the original coding of an application during the compilation process. This way, even the original developer would not know about the incorrect coding in their applications that might allow the hacker to gain access to computer systems.
As a result, the report suggests that this vulnerability could initiate large-scale supply chain attacks in many industries. So, the vulnerability disclosure was coordinated with various organizations in the market, as per Krebs’ report. The report also suggests that some companies have promised to roll out patches to fix the vulnerability, while other companies are reportedly “dragging their feet.”
“The fact that the Trojan Source vulnerability affects almost all computer languages makes it a rare opportunity for a system-wide and ecologically valid cross-platform and cross-vendor comparison of responses. As powerful supply-chain attacks can be launched easily using these techniques, it is essential for organizations that participate in a software supply chain to implement defenses,” the researchers warned in the paper.