Discussions on software vulnerability management intensify following a surge in attacks on supply chains
In the ever-evolving world of technology, the importance of software security continues to be a pressing concern. Recent findings by researchers at SonarSource have uncovered a zero-day vulnerability in the Squirrel Engine, a programming language commonly used in video games and cloud services, including Counter-Strike: Global Offensive.
The vulnerability allows attackers to bypass sandbox restrictions and execute arbitrary code within the SquirrelVM, potentially gaining access to the underlying machine. This discovery comes amidst a series of malicious attacks in 2021, exploiting vulnerabilities in the software supply chain, such as the notable ransomware attacks on Kayesa and the backdoor installed into SolarWinds Orion.
The SolarWinds attack in 2020 involved the malicious insertion of malware into the SolarWinds Orion platform, raising questions about the security of software infrastructure. A study released in July 2021 by Venafi suggests that future attacks will use similar techniques.
The vulnerability in SquirrelLang could potentially be used to embed backdoors in community content distributed via the Steam workshop. This discovery has sparked concerns among corporate stakeholders, who are now questioning the risk calculus of their technology stacks and whether they are potential targets.
The SonarSource team has recommended that all project owners who depend on Squirrel rebuild the latest Squirrel version from source code. However, as of the publication of the SonarSource blog, the fix has not been included in a new, stable release of Squirrel. This leaves many users in a vulnerable position, unsure of how to protect their systems.
The debate over who should be responsible for detecting and mitigating security flaws during the software development process continues. According to a Venafi study, exactly 48% of respondents believe that security teams are responsible for fixing flaws, while an equal percentage believes that software development teams are responsible. Om Moolchandani, CTO of Accurics, suggests detecting vulnerabilities in the design and development phase and using automation to remediate flaws as a better approach.
Gartner has developed guidance on notification, including providing clear details on workarounds, patches, and cohabitation issues, thanking researchers if applicable, and pointing to the responsible disclosure program. However, the Kaseya ransomware attack raised questions about the timing of when companies should notify customers of potential vulnerabilities and whether those risks need to be reported to an outside authority.
As the landscape of software security continues to evolve, it is crucial for both developers and security teams to collaborate closely to ensure the protection of systems and data. The discovery of the SquirrelLang vulnerability serves as a reminder of the importance of vigilance and proactive measures in the face of potential threats.
