How to remove Antivirus 2009 (Uninstall Instructions).
A vulnerability in the Python programming language that has been overlooked for 15 years is now back in the spotlight as it likely affects more than 350,000 open-source repositories and can lead to code execution
Disclosed in 2007 and tagged as CVE-2007-4559, the security issue never received a patch, the only mitigation provided being a documentation update warning developers about the risk
Earlier this year, while investigating another security issue, CVE-2007-4559 was rediscovered by a researcher at Trellix, a new business providing extended detection and response (XDR) solutions that resulted from the merger of McAfee Enterprise and FireEye
"Failure to write any safety code to sanitize the members files before calling for tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system" - Charles McFarland, vulnerability researcher in the Trellix Advanced Threat Research team
Analyzing the impact, Trellix researchers found that the vulnerability was present in thousands of software projects, both open and closed source
The researchers scraped a set of 257 repositories more likely to include the vulnerable code and manually checked 175 of them to see if they were affected
Running an automated check on the rest of the repositories increased the number of impacted projects to 65%, indicating a widespread issue
Using the 61% vulnerability rate verified manually, Trellix estimates that there are more than 350,000 vulnerable repositories, many of them used by machine learning tools (e.g. GitHub Copilot) that help developers complete a project faster
Such automated tools rely on code from hundreds of thousands of repositories to provide "auto-complete" options
If they provide insecure code, the issue propagates to other projects without the developer knowing it
Looking further into the problem, Trellix found that open-source code vulnerable to CVE-2007-4559 "spans a vast number of industries."
In a technical blog post today, Trellix vulnerability researcher Kasimir Schulz, who rediscovered the bug, described the simple steps to exploit CVE-2007-4559 in the Windows version of Spyder IDE, an open-source cross-platform integrated development environment for scientific programming
The researchers showed that the vulnerability can be leveraged on Linux, too
Apart from drawing attention to the vulnerability and the risk it poses, Trellix also created patches for a little over 11,000 projects
Because of the large number of affected repositories, the researchers expect more than 70,000 projects to receive a fix in the next few weeks