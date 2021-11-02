A group of researchers has discovered a vulnerability that could be fatal for the entire internet if it does not begin to take action in the form of updates, patches and security improvements.

Virtually all compilers are vulnerable to an attack in which a hacker can introduce specific vulnerabilities into any software without being detected, new research published today warns.

Disclosure of vulnerability has been coordinated with multiple organizations to warn in time of this flaw while many of these companies are publishing updates to correct the security flaw.

Researchers at the University of Cambridge discovered a flaw that affects most compilers of computer code and many software development environments.

The flaw occurs in a component of the Unicode digital text encoding standard, that allows computers to exchange information regardless of the language used.

Currently, Unicode defines more than 143,000 characters in 154 different languages (plus lots of non-typing character sets like emojis).

Specifically, the weak point has to do with the bidirectional or Bidi algorithm of Unicode, which manages the display of texts that include mixed writings with different display orders, such as Arabic -which is read from right to left- and English ( from left to right).

But computer systems need a deterministic way to resolve directionality conflicts in text. For this, the Bidi override was created, which allows the text from left to right to be read from right to left, and vice versa.

Bidi overrides allow even single hyphen characters to be displayed in a different order than their logical encoding. As the researchers point out, this fact has previously been exploited to disguise the file extensions of malicious programs spread by email.

The problem is the following: Most programming languages ​​allow you to put these Bidi overrides in comments and strings. This is bad because most programming languages ​​allow comments within which all text – including control characters – is ignored by compilers and interpreters.

Which means that they can use in source code that seems innocuous to a human reviewer and turn it into a nightmare.

And this is bad news for projects like Linux and Webkit, which accept contributions from random people, put them through manual review, and then embed them into critical code. This vulnerability is, from what the experts say, very serious.

The research paper, which christened the vulnerability Trojan Source, points out that although both comments and strings have specific syntax semantics that indicate their start and end, these limits are not respected by Bidi overrides.