0:00

Hello Welcome to the Friday April Twelve

0:02

Two thousand twenty four addition off the

0:04

sands and had stomps an ice storm

0:07

cast my name is Johan as all

0:09

right and during recording from. London.

0:11

England. Well

0:14

yesterday a couple of a

0:17

listeners alert me that the

0:19

arrest wanna believe that I

0:21

talk about is actually part

0:23

of a bigger issue. As

0:26

a blog post by a

0:28

researcher, I guess you would

0:30

pronounce it a riot act

0:32

that talks about this problem.

0:35

They are calling this Warner

0:37

Billie Bad Bad but essentially

0:39

it affects many languages of

0:41

that are executing batch files.

0:44

On Windows the problem here

0:46

is that there is a

0:48

create process a p I've

0:50

as calmly being used in

0:52

order to execute these files

0:54

of. But what happens behind

0:56

the scenes is that the

0:58

filing for the bad fall

1:00

including any command line arguments

1:02

are being passed to comment.e

1:04

exceed. And that opens you

1:06

to a host of west Command

1:09

injection issues if you're not very

1:11

carefully escaping any of the command

1:13

line arguments. One issue that some

1:16

tickler kind of tricky to track

1:18

is that after you may do

1:21

the a escaping and after you

1:23

then sent all of that data

1:25

meaning the filing pretty bad file

1:28

and the command arguments to Command

1:30

on Iraq see environment variables that

1:32

may be present in the command.

1:35

Line will be expanded. Isn't.

1:37

Putting on issue it seems a

1:40

by default you have these special

1:42

variable called command command line which

1:44

expands to double quotes saw an

1:46

attacker could include per command command

1:48

line percent which will then after

1:51

to all of us gaping expanded

1:53

to had doubled quote and as

1:55

a result me again get you

1:57

back into or as command injection.

2:00

So Rust made a patch available,

2:03

I just saw earlier a Node.js

2:05

patch that looks like it fixes

2:07

this issue even though this particular

2:09

issue is not quite credited

2:11

in the release that I've seen.

2:14

There should also be soon a

2:16

patch available for PHP. Other

2:18

languages like for example

2:20

Python and Go just

2:22

updated their documentation. Haskell

2:24

has a patch available

2:27

and then for example Java

2:29

just won't fix the issue.

2:33

Executing commands like this is

2:35

always dangerous, should be avoided

2:37

if possible. If you

2:39

do have to do it then

2:41

take a look at the blog

2:44

post by Ryotac as it goes

2:46

over a couple of different scenarios,

2:48

how the vulnerability exactly happens and

2:51

then also how to escape

2:53

things properly or at least

2:55

more securely than what's usually

2:58

done. This is a problem

3:00

if you are executing bad files

3:03

from your code on Windows

3:06

and you are accepting user-provided command

3:08

line arguments. If you have fixed

3:10

file names, if you're not on

3:12

Windows then of course that's less

3:14

of an issue. We

3:18

have yet more vulnerability from Fortinet,

3:21

this one affects the Forti

3:23

client for Linux, it's

3:25

a remote code execution

3:27

vulnerability and in order

3:30

to exploit this vulnerability a

3:32

user would have to visit

3:34

a malicious website. And

3:38

Apple revised its documentation pertaining

3:40

the alerts it's sending to

3:42

users that may be

3:45

the target of a mercenary spyware. Apple

3:48

calls mercenary spyware any kind of

3:50

spyware that is likely being created

3:53

at the request of governments, usually

3:55

by companies like in the past,

3:57

for example, and a Zogroup. There's

4:00

reason to believe is that

4:02

a particular user is targeted

4:04

by such spyware it it

4:06

will be notified as users

4:08

and apparently already has In

4:10

response to this notified users

4:13

in ninety two different countries.

4:15

Journalists then the other activists

4:17

and such are often the

4:19

target of as these a

4:21

kind of spider attacks and

4:23

Apple A directs of victims

4:25

to the Digital Security Help

4:27

Lines which is operated a

4:30

by. A non profit

4:32

that access now. And.

4:35

Check Marks has a blog

4:37

post dead miss details regarding

4:39

some techniques attackers are using

4:42

in order to make a

4:44

victim. Subsequent developers more likely

4:46

download code from malicious repositories

4:48

in Get Up. These tricks

4:50

evolve around a gaming is

4:53

the search results and get

4:55

up. For example, one way,

4:57

how many developers nice sometimes

4:59

done that to try to

5:01

find countries that have actively

5:04

developed a repositories. Is when

5:06

you're searching for certain keywords

5:08

to look for which repository

5:10

was most recently updated. While

5:12

in this particular case of

5:14

the attacker has continuously meet

5:16

small commits a to of

5:19

a repository sometimes so within

5:21

a few minutes of each

5:23

other in order to make

5:25

sure that a particular repository

5:27

is always sewing up forests

5:29

is As a developer, searching

5:31

for a particular code base

5:33

is sorting by looking. At

5:35

the last updated repository first

5:37

entering interesting trick and self

5:39

a little bit a. Development.

5:43

On the simple type of swanning

5:45

and there's certainly something that I

5:48

can seats developers fall for it

5:50

so let's you developers know and

5:52

that as always be careful if

5:55

you are including various libraries and

5:57

that our coed basis of from

6:00

repositories like a get up. And

6:03

as it for two days. Thanks

6:05

of listening and talk to you

6:07

again on Monday.