Zimbalwa iintsuku ezidlulileyo Abaphandi beYunivesithi yaseCambridge bakhululwe upapasho lwe ubuchule bokutshintsha ngokufihlakeleyo iikhowudi inobungozi kwikhowudi yemvelaphi yesicelo.
Indlela yokuhlasela yalungisa loo nto Sele idweliswe phantsi kwe-CVE-2021-42574 Iza phantsi kwegama elithi Umthombo weTrojan kwaye isekelwe ekubunjweni kombhalo obukeka ngokwahlukileyo kumqambi / umtoliki kunye nomntu ojonga ikhowudi.
Malunga noMthombo weTrojan
Indlela ixhomekeke ekusebenziseni iimpawu ezikhethekileyo ze-Unicode kwiikhowudi zekhomenti, etshintsha idispleyi order yokubhaliweyo okuphindwe kabini. Ngoncedo lwabalinganiswa bolawulo, ezinye iindawo zokubhaliweyo zinokuboniswa ukusuka ekhohlo ukuya ekunene, ngelixa ezinye ukusuka ekunene ukuya ekhohlo.
Kwimihla ngemihla, ezi mpawu zokulawula zingasetyenziselwa, umzekelo, ukufaka iintambo zesiHebhere okanye zesiArabhu kwifayile yekhowudi. Nangona kunjalo, ukuba usebenzisa aba nobumba ukudibanisa imigca enezalathiso zeteksti ezahlukeneyo kumgca omnye, iivesi ezibhaliweyo eziboniswe ukusuka ekunene ukuya ekhohlo zinokugqithana okubhaliweyo okukhoyo okuqhelekileyo okuboniswa ukusuka ekhohlo ukuya ekunene.
Ngale ndlela, ulwakhiwo olukhohlakeleyo lungongezwa kwikhowudi, kodwa ke wenze okubhaliweyo ngolu lwakhiwo kungabonakali xa ujonga ikhowudi, ukongeza iimpawu eziboniswe ukusuka ekunene ukuya ekhohlo kumazwana alandelayo okanye ngaphakathi kokoqobo, okuya kubangela isiphumo soonobumba abahluke ngokupheleleyo ababekwe ngaphezulu kufakelo olukhohlakeleyo. Ikhowudi enjalo iya kuhlala ichanekile ngokwesemantiki, kodwa iya kutolikwa kwaye iboniswe ngokwahlukileyo.
Sifumene iindlela zokusebenzisa i-encoding yeefayile zekhowudi yomthombo ukuze ababukeli kunye nabaqulunqi babone ingqiqo eyahlukileyo. Enye indlela eyingozi kakhulu isebenzisa i-Unicode ye-directionality override oonobumba ukubonisa ikhowudi njenge-anagram yengqiqo yayo yokwenyani. Siye saqinisekisa ukuba olu hlaselo lusebenza ngokuchasene neC, C ++, C #, JavaScript, Java, Rust, Go, nePython, kwaye siyakrokrela ukuba luya kusebenza ngokuchasene neelwimi ezininzi zanamhlanje.
Ngelixa uphonononga ikhowudi, umphuhlisi uya kujongana nocwangco lwabalinganiswa kwaye uyakubona uluvo olukrokrisayo kumhleli umbhalo, ujongano lwewebhu okanye i-IDE, kodwa umqokeleli kunye netoliki iya kusebenzisa ulandelelwano olunengqiqo lwabalinganiswa kwaye iphathe ikhowudi ekhohlakeleyo njengoko injalo, nokuba ithini na isicatshulwa esineendlela ezimbini kwizimvo. Abahleli bekhowudi abaninzi abadumileyo (i-VS Code, i-Emacs, i-Atom), kunye nojongano lwekhowudi yokujonga kwiindawo zokugcina (GitHub, Gitlab, BitBucket, kunye nazo zonke iimveliso ze-Atlassian) ziyachaphazeleka.
Kukho iindlela ezininzi zokusebenzisa indlela yokuphumeza izenzo ezikhohlakeleyo: yongeza inkcazo efihliweyo "yokubuyisela", ekhokelela ekuphelisweni kokwenziwa komsebenzi ngaphambi kwexesha; isiphelo kumagqabantshintshi amabinzana adla ngokugqalwa njengolwakhiwo olufanelekileyo (umzekelo, ukuvala iitshekhi ezibalulekileyo); Ulwabiwo lwamanye amaxabiso omtya akhokelela kukusilela kokuqinisekiswa komtya.
Kwakhona, kwacetywa enye indlela yokuhlaselwa (CVE-2021-42694), ebandakanya ukusetyenziswa kwee-homoglyphs, iisimboli ezibonakala zifana ngenkangeleko, kodwa zahluke ngentsingiselo kwaye zineekhowudi ezahlukeneyo ze-Unicode. Aba nobumba banokusetyenziswa kwezinye iilwimi kumsebenzi kunye namagama aguquguqukayo ukulahlekisa abaphuhlisi. Umzekelo, ungachaza imisebenzi emibini enamagama angabonakaliyo enza iintshukumo ezahlukeneyo. Ngaphandle kohlalutyo oluneenkcukacha, awukwazi ukuqonda ngokukhawuleza ukuba yeyiphi le misebenzi mibini ebizwa kwindawo ethile.
Njengenyathelo lokhuseleko, kucetyiswa ukuphumeza kubaqulunqi, abatoliki kunye nezixhobo zokuhlanganisa ezixhasa iimpawu ze-Unicode, ezibonisa impazamo okanye isilumkiso nokuba kukho abalinganiswa abangasebenziyo abalawulayo kwizimvo, umtya woqobo, okanye izichazi ezitshintsha isalathiso semveliso. Aba balinganiswa kufuneka bathintelwe ngokucacileyo kwiinkcukacha zolwimi lweprogram kwaye kufuneka bathathelwe ingqalelo kubahleli bekhowudi kunye nojongano lokusebenza kunye nogcino.
ngaphandle koko Ubuthathaka sele buqalisile ukulungiswa ilungiselelwe i-GCC, LLVM / Clang, Rust, Go, Python kunye ne-binutils. I-GitHub, iBitbucket kunye neJira nazo sele zilungiselela isisombululo kunye neGitLab.
Gqibela Ukuba unomdla wokwazi okungakumbi ngayo, ungabonisana iinkcukacha kwikhonkco elilandelayo.