The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on ‘colors’ and ‘faker.’ The colors library receives over 20 million weekly downloads on npm alone and has almost 19,000 projects relying on it. Whereas faker receives over 2.8 million weekly downloads on npm and has over 2,500 dependents.

Commenting on the news, and quoted in Tech Monitor, John Goodacre, Challenge Director for Digital Security by Design, and professor of computer architectures at the University of Manchester, said

“Whether a developer reuses open-source or commercially sourced code in their project, there is always a risk that it can either perturb the expected behaviour of their application, as with NPM libs, or expose their product to a cyber vulnerability as with Log4j. It’s not untypical for developers to reuse as much as 85% of code developed elsewhere. The inherent challenge is how can they ensure external code is constrained to access only what is expected. Performance requirements have however forced developers to integrate much of this code in a way that means it has equal access to everything in the application or even machine.

John Goodacre, Challenge Director for Digital Security by Design, and professor of computer architectures at the University of Manchester

“Cybersecurity, along with the growing demand for confidentiality and privacy, means developers should no longer trust that third-party party code has no vulnerabilities. Computers are not designed to provide the required fine-grained compartmentalisation so that developers can securely protect the various functions of an application by default. Developers can investigate the fundamental changes in the way future computers address this challenge through a UK Government initiative known as Digital Security by Design (DSbD). Delivered through UKRI, the programme supports industry to introduce technologies that can block around 70% of ongoing vulnerabilities from exploitation. Developers are also provided low-cost hardware mechanisms to securely isolate different sections of code within an application. This could stop for example a library that should not draw to the screen from doing so, or a logging library from accessing anything other than the logging functionality.”

John Goodacre, Challenge Director for Digital Security by Design, and professor of computer architectures at the University of Manchester

Another story that caught our eye this week was that Mozilla patched a security issue in Firefox that could have allowed an attacker to spoof legitimate websites via a stealthily executed ‘full screen’ mode. The vulnerability (CVE-2022-22746), which was present in Windows versions of Firefox, is a race condition bug that could result in the browser’s full screen notification warning being bypassed.

This could enable an attacker to trick a user into clicking links or entering sensitive details on a fake website, among other malicious activities.

In controlling a full screen browser window without a user’s knowledge, the attacker can spoof the URL address bar of a genuine site – something which is usually controlled by the browser, along with other ‘above the line’ trust indicators. The attacker could go further to not only serve what appears to be the proper domain, but also the SSL padlock icon used to reassure web users that the site is HTTPS protected.

John Goodacre commented, saying

“Unfortunately, we live in a world where those developing software must continuously fix, and customers apply, often with some urgency, patches to address vulnerabilities that can be exploited to steel data or corrupt the operation of our computers and digital equipment. This latest list from Mozilla contains a mix of issues from ones that would only effect single users when they try a specific operation through to 22751 which covers several memory safety bugs that are described as able to be exploited by cyber-attackers to run arbitrary code. Particularly telling for this report is the lack of information, including from the central CVE database, that could be used to tip off cyber-attackers on how they could take over machines. While some high impact reports are limited towards denial of service, for arbitrary code execution bugs it is critical for everyone to patch as soon as possible, before attacker’s reverse engineer, the now public patch, and develop their exploitation and potentially insert ransomware, steal passwords or other crimes.

“The potential to exploit memory safety bugs was first identified back in the 1970’s, with recent analysis showing that around 70% of all CVE reported software vulnerabilities falling into this class of software bug.  Unfortunately, the way the hardware and software markets have evolved over this time has stopped industry from being able to block such vulnerabilities from exploitation.  In 2018 industry asked the UK government for help, and a subsequent initiative known as Digital Security by Design (DSbD) is being delivered through the UK Research and Innovation agency (UKRI) to work with UK and international industry and researchers to introduce fundamental new technologies at in the heart of all digital systems that can block this class of vulnerabilities from exploitation. While unable to stop all cyber issues, it will be a significant dent in the ongoing stream of exploitable vulnerabilities, while also providing developers additional techniques to secure their code.”

John Goodacre, Challenge Director for Digital Security by Design, and professor of computer architectures at the University of Manchester

You can find out more about the Industrial Strategy Challenge Fund here