- The $23 Echo Dot deal is a great deal to upgrade your smart home this Black Friday
- The newest Echo Show 8 just hit its lowest price ever for Black Friday
- 기술 기업 노리는 북한의 가짜 IT 인력 캠페인··· 데이터 탈취도 주의해야
- 구글 클라우드, 구글 워크스페이스용 제미나이 사이드 패널에 한국어 지원 추가
- The best MagSafe accessories of 2024: Expert tested and reviewed
350K Open-Source Projects At Risk of Supply Chain Vulnerability
Trellix has announced the establishment of the Trellix Advanced Research Center, a facility and project aimed at creating real–time intelligence and threat indicators to help customers detect, respond and remediate the latest cybersecurity threats.
“The threat landscape is scaling in sophistication and potential for impact,” said Trellix chief product officer Aparna Rayasam. “We do this work to make our digital and physical worlds safer for everyone. With adversaries strategically investing in talent and technical know–how, the industry has a duty to study the most combative actors and their methods to innovate at a faster rate.”
Upon its establishment, the Trellix Advanced Research Center also published its research into CVE–2007–4559, a vulnerability estimated to be present in roughly 350,000 open–source projects and several closed–source projects.
The flaw resides in the Python tarfile module, which is automatically installed in any project using the Python programming language. It’s often found in frameworks created by Netflix, AWS, Intel, Facebook and Google, as well as in applications used for machine learning, automation and docker containerization.
According to Trellix, the vulnerability can be exploited by uploading a malicious file generated with a few lines of code that allows attackers to then perform arbitrary code execution.
“When we talk about supply chain threats, we typically refer to cyber–attacks like the SolarWinds incident, however building on top of weak code–foundations can have an equally severe impact,” explained Christiaan Beek, head of adversarial and vulnerability research at Trellix.
“This vulnerability’s pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It’s critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.”
Further, the company said while open–source developer tools like Python are necessary to advance computing and innovation, they heavily rely on industry collaboration for protection from known vulnerabilities.
To this end, Trellix said it is working to push code via GitHub pull request to protect open–source projects from the vulnerability.
“A free tool for developers to check if their applications are vulnerable is available on Trellix Advanced Research Center’s GitHub,” the company wrote.
This is not the first time Python–based applications have come under scrutiny recently. Earlier this month, a joint advisory by SentinelLabs and Checkmarx linked a threat actor called ‘JuiceLedger’ to the first known phishing campaign targeting Python Package Index (PyPI) users.