There are several short-term methods that can mitigate the Trojan Source attack that abuses Unicode to inject malicious backdoors in source, according to experts.

The new attack method, identified by University of Cambridge researchers, tricks compilers into reading hidden Unicode characters and generating binaries with extra instructions and backdoors that the developer or security analyst do not know about. Because the special characters are not visible by default, the malicious code is unlikely to be discovered during code review.

Attacks based on how Unicode displays text are not new, but one reason why Trojan Source may feel like a bigger deal is because of the sheer amount of code that gets copy-and-pasted from public sites such as StackOVerflow, GitHub, and other centralized forums into the individual source code files. If there are problematic Unicode characters hidden in the file, those are getting copied in, as well.

“This scenario demonstrates the proactive power of source code reviews and it would be a good best practice not to copy and paste code for the time being,” says Jon Gaines, senior application consultant at nVisium. “It’s always better to rewrite it yourself.”

Make Unicode Visible

Developers can detect the potentially malicious Unicode characters by enabling the IDE or text editors they are working with to display Unicode, or using a command-line hex editor such as HexEd.It and search for specific Unicode characters in the file, Gaines says.

Major source control platforms have already responded, as Github, Gitlab and Atlassian (for BitBucket) already post alerts for the Unicode BiDi characters (CVE-2021-42574).