Unpatched 15-year old Python bug allows code execution in 350k projects - BleepingComputer

Unpatched 15-year old Python bug allows code execution in 350k projects - BleepingComputer

Unpatched 15-year old Python bug allows code execution in 350k projects - BleepingComputer
Sep 21, 2022 1 min, 56 secs

How to remove Antivirus 2009 (Uninstall Instructions).

A vulnerability in the Python programming language that has been overlooked for 15 years is now back in the spotlight as it likely affects more than 350,000 open-source repositories and can lead to code execution

Disclosed in 2007 and tagged as CVE-2007-4559, the security issue never received a patch, the only mitigation provided being a documentation update warning developers about the risk

Earlier this year, while investigating another security issue, CVE-2007-4559 was rediscovered by a researcher at Trellix, a new business providing extended detection and response (XDR) solutions that resulted from the merger of McAfee Enterprise and FireEye

"Failure to write any safety code to sanitize the members files before calling for tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system" - Charles McFarland, vulnerability researcher in the Trellix Advanced Threat Research team

Analyzing the impact, Trellix researchers found that the vulnerability was present in thousands of software projects, both open and closed source

The researchers scraped a set of 257 repositories more likely to include the vulnerable code and manually checked 175 of them to see if they were affected

Running an automated check on the rest of the repositories increased the number of impacted projects to 65%, indicating a widespread issue

Using the 61% vulnerability rate verified manually, Trellix estimates that there are more than 350,000 vulnerable repositories, many of them used by machine learning tools (e.g. GitHub Copilot) that help developers complete a project faster

Such automated tools rely on code from hundreds of thousands of repositories to provide "auto-complete" options

If they provide insecure code, the issue propagates to other projects without the developer knowing it

Looking further into the problem, Trellix found that open-source code vulnerable to CVE-2007-4559 "spans a vast number of industries."

In a technical blog post today, Trellix vulnerability researcher Kasimir Schulz, who rediscovered the bug, described the simple steps to exploit CVE-2007-4559 in the Windows version of Spyder IDE, an open-source cross-platform integrated development environment for scientific programming

The researchers showed that the vulnerability can be leveraged on Linux, too

Apart from drawing attention to the vulnerability and the risk it poses, Trellix also created patches for a little over 11,000 projects

Because of the large number of affected repositories, the researchers expect more than 70,000 projects to receive a fix in the next few weeks

1 Most Graphic NC-17 Movies: Full-Frontal Nudity, Oral Sex - Variety

Sep 28, 2022 # entertainment 0 secs

2 'Jeopardy!' champ Amy Schneider and Genevieve Davis announce they secretly married in May - Fox News

Sep 29, 2022 # entertainment 1 min, 10 secs

3 YouTube age-restriction quagmire exposed by 78-minute Mega Man documentary - Ars Technica

Sep 30, 2022 # technology 1 min, 8 secs

4 How Many Cups of Coffee You Should Drink Per Day, According to 'Science' - Lifehacker

Sep 29, 2022 # health 1 min, 23 secs

5 Why scientists fear monkeypox spreading in wild animals - Nature.com

Sep 30, 2022 # health 2 mins, 26 secs

6 Far Cry 6 May Be Getting A GOTY Edition Despite Getting Almost No Awards - Kotaku

Sep 28, 2022 # technology 58 secs

7 Christian Bale Reveals The One ‘Star Wars’ Role That Could Persuade Him To Join The Disney Franchise - Deadline

Oct 01, 2022 # entertainment 46 secs

8 A gene therapy for food allergies - Drug Discovery News

Sep 30, 2022 # health 1 min, 4 secs

9 Amber Heard emerges in Spain with daughter Oonagh after Johnny Depp trial - Page Six

Sep 30, 2022 # entertainment 50 secs

10 The church linked to Abe’s killing, Japan’s political turmoil - Al Jazeera English

Sep 27, 2022 # politics 1 min, 36 secs

11 D'Von Dudley Shares Real Thoughts On The Usos Using The 3-D - Wrestling Inc.

Sep 25, 2022 # entertainment 25 secs

12 October 2022 security update rolling out to Galaxy S22 in Asia, Europe - SamMobile - Samsung news

Sep 30, 2022 # technology 56 secs

13 Trevor Noah to leave The Daily Show, saying he wants to do more standup - The Guardian

Sep 30, 2022 # entertainment 24 secs

14 Stroke genetics informs drug discovery and risk prediction across ancestries - Nature.com

Sep 30, 2022 # health 26 mins, 27 secs

15 Joey Bosa to have surgery, go on injured reserve - NBC Sports

Sep 28, 2022 # politics 41 secs

16 The Most Commented Op-Eds on COLlive in 5782 - COLlive

Sep 25, 2022 # technology 30 secs

Get monthly updates and free resources.


© Copyright 2022 365NEWSX - All RIGHTS RESERVED