Rust vulnerability allows attackers to delete files and directories
Maintainers of the Rust programming language have warned of a critical vulnerability that allows attackers to delete files and directories.
In a security advisory, the Rust Security Response Working Group wrote:
“The Rust Security Response WG has been made aware that the standard library function std::fs::remove_dir_all is vulnerable to a race condition allowing symbolic link tracking (CWE-363).
An attacker could use this security issue to trick a privileged program into deleting files and directories that the attacker could not otherwise access or delete.
Rust 1.0.0 through Rust 1.58.0 is affected by the vulnerability. Rust 1.58.1 has been released which includes mitigations for the issue.
Officials warn macOS versions prior to 10.10 (Yosemite) and REDOX “do not have usable APIs to properly mitigate the attack, and are therefore still vulnerable even with a patched toolchain.”
Rust has not yet been among the most widely used programming languages, but has grown in popularity in recent years.
In the 2021 Stack Overflow Survey, Rust retained its most popular language crown for the sixth year in a row. However, the language has yet to reach the top 10 uses, coming in at 16th place, just behind Kotlin and one place ahead of Ruby.
Last year, Rust created its own independent foundation to help promote and foster the use of Rust “as enterprise production-ready technology.” Five major companies support the Rust Foundation: Microsoft, Huawei, Google, AWS and, of course, Mozilla.
Just a few months after joining the Rust Foundation, Google announced that it was adding language support to Android in an effort to fix memory security bugs.
“The Android operating system uses Java extensively, effectively protecting large parts of the Android platform from memory bugs. Unfortunately, for the lower layers of the operating system, Java and Kotlin are not an option” , explained Google.
“Rust provides memory safety guarantees using a combination of compile-time checks to enforce object lifetime/ownership and run-time checks to ensure that memory accesses are valid .”
(Photo by Thomas Kinto on Unsplash)
Do you want to rethink your digital transformation strategy? Learn more about Digital Transformation Week taking place May 11-12, 2022 and discover key strategies to make your digital efforts a success.
Check out other upcoming TechForge enterprise technology events and webinars here.