Impact of CVE-2021-42574 on the Web from Pierre-Antoine Champin on 2021-11-24 (public-web-security@w3.org from November 2021)

From: Pierre-Antoine Champin <pierre-antoine@w3.org>
Date: Wed, 24 Nov 2021 13:09:11 +0100
To: public-web-security@w3.org
Message-ID: <60561d7c-c986-629c-e427-09f8229b1209@w3.org>

Hi,

I am new to this mailing list, and --disclaimer-- I don't consider myself as an expert in security matters.

However, this recently hit my inbox:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574


TL;DR:

> An issue was discovered in the Bidirectional Algorithm in the Unicode
> Specification through 14.0. It permits the visual reordering of
> characters via control sequences, which can be used to craft source code
> that renders different logic than the logical ordering of tokens
> ingested by compilers and interpreters. Adversaries can leverage this to
> encode source code for compilers accepting Unicode such that targeted
> vulnerabilities are introduced invisibly to human reviewers.

I was curious to see if this vulnerability could be used on the web, and
yes it can. Javascript code can be included in a page, that looks like
it is doing something, but is actually doing something else (it probably
also applies to HTML and CSS). The developer tools included in Firefox
or Chrome provide no explicit hint about the fact that the rendered code
is misleading!

See an example here: http://champin.net/2021/cve-2021-42574.html


It looks like something that at least browser vendors should address.
But the impact might be broader and maybe there is something that W3C
can/should do about it?

As I wrote above, I am not a "security person"(1). So I was curious to get
more informed opinions on that issue.

   pa

(1) but I find this hack really neat!

Attachments

application/pgp-keys attachment: OpenPGP public key

Received on Wednesday, 24 November 2021 12:09:14 UTC