Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello Welcome to the Friday April Twelve
0:02
Two thousand twenty four addition off the
0:04
sands and had stomps an ice storm
0:07
cast my name is Johan as all
0:09
right and during recording from. London.
0:11
England. Well
0:14
yesterday a couple of a
0:17
listeners alert me that the
0:19
arrest wanna believe that I
0:21
talk about is actually part
0:23
of a bigger issue. As
0:26
a blog post by a
0:28
researcher, I guess you would
0:30
pronounce it a riot act
0:32
that talks about this problem.
0:35
They are calling this Warner
0:37
Billie Bad Bad but essentially
0:39
it affects many languages of
0:41
that are executing batch files.
0:44
On Windows the problem here
0:46
is that there is a
0:48
create process a p I've
0:50
as calmly being used in
0:52
order to execute these files
0:54
of. But what happens behind
0:56
the scenes is that the
0:58
filing for the bad fall
1:00
including any command line arguments
1:02
are being passed to comment.e
1:04
exceed. And that opens you
1:06
to a host of west Command
1:09
injection issues if you're not very
1:11
carefully escaping any of the command
1:13
line arguments. One issue that some
1:16
tickler kind of tricky to track
1:18
is that after you may do
1:21
the a escaping and after you
1:23
then sent all of that data
1:25
meaning the filing pretty bad file
1:28
and the command arguments to Command
1:30
on Iraq see environment variables that
1:32
may be present in the command.
1:35
Line will be expanded. Isn't.
1:37
Putting on issue it seems a
1:40
by default you have these special
1:42
variable called command command line which
1:44
expands to double quotes saw an
1:46
attacker could include per command command
1:48
line percent which will then after
1:51
to all of us gaping expanded
1:53
to had doubled quote and as
1:55
a result me again get you
1:57
back into or as command injection.
2:00
So Rust made a patch available,
2:03
I just saw earlier a Node.js
2:05
patch that looks like it fixes
2:07
this issue even though this particular
2:09
issue is not quite credited
2:11
in the release that I've seen.
2:14
There should also be soon a
2:16
patch available for PHP. Other
2:18
languages like for example
2:20
Python and Go just
2:22
updated their documentation. Haskell
2:24
has a patch available
2:27
and then for example Java
2:29
just won't fix the issue.
2:33
Executing commands like this is
2:35
always dangerous, should be avoided
2:37
if possible. If you
2:39
do have to do it then
2:41
take a look at the blog
2:44
post by Ryotac as it goes
2:46
over a couple of different scenarios,
2:48
how the vulnerability exactly happens and
2:51
then also how to escape
2:53
things properly or at least
2:55
more securely than what's usually
2:58
done. This is a problem
3:00
if you are executing bad files
3:03
from your code on Windows
3:06
and you are accepting user-provided command
3:08
line arguments. If you have fixed
3:10
file names, if you're not on
3:12
Windows then of course that's less
3:14
of an issue. We
3:18
have yet more vulnerability from Fortinet,
3:21
this one affects the Forti
3:23
client for Linux, it's
3:25
a remote code execution
3:27
vulnerability and in order
3:30
to exploit this vulnerability a
3:32
user would have to visit
3:34
a malicious website. And
3:38
Apple revised its documentation pertaining
3:40
the alerts it's sending to
3:42
users that may be
3:45
the target of a mercenary spyware. Apple
3:48
calls mercenary spyware any kind of
3:50
spyware that is likely being created
3:53
at the request of governments, usually
3:55
by companies like in the past,
3:57
for example, and a Zogroup. There's
4:00
reason to believe is that
4:02
a particular user is targeted
4:04
by such spyware it it
4:06
will be notified as users
4:08
and apparently already has In
4:10
response to this notified users
4:13
in ninety two different countries.
4:15
Journalists then the other activists
4:17
and such are often the
4:19
target of as these a
4:21
kind of spider attacks and
4:23
Apple A directs of victims
4:25
to the Digital Security Help
4:27
Lines which is operated a
4:30
by. A non profit
4:32
that access now. And.
4:35
Check Marks has a blog
4:37
post dead miss details regarding
4:39
some techniques attackers are using
4:42
in order to make a
4:44
victim. Subsequent developers more likely
4:46
download code from malicious repositories
4:48
in Get Up. These tricks
4:50
evolve around a gaming is
4:53
the search results and get
4:55
up. For example, one way,
4:57
how many developers nice sometimes
4:59
done that to try to
5:01
find countries that have actively
5:04
developed a repositories. Is when
5:06
you're searching for certain keywords
5:08
to look for which repository
5:10
was most recently updated. While
5:12
in this particular case of
5:14
the attacker has continuously meet
5:16
small commits a to of
5:19
a repository sometimes so within
5:21
a few minutes of each
5:23
other in order to make
5:25
sure that a particular repository
5:27
is always sewing up forests
5:29
is As a developer, searching
5:31
for a particular code base
5:33
is sorting by looking. At
5:35
the last updated repository first
5:37
entering interesting trick and self
5:39
a little bit a. Development.
5:43
On the simple type of swanning
5:45
and there's certainly something that I
5:48
can seats developers fall for it
5:50
so let's you developers know and
5:52
that as always be careful if
5:55
you are including various libraries and
5:57
that our coed basis of from
6:00
repositories like a get up. And
6:03
as it for two days. Thanks
6:05
of listening and talk to you
6:07
again on Monday.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More