Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks. […]
I’m not sure why everyone’s focusing in on Rust, this seems like a general Windows issue to me, thus affecting most major languages.
Original Report: BatBadBut: You can’t securely execute commands on Windows
Yeah it seems weirdly specific. Also, if you pass user input to command args directly, you are asking for trouble.
“An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments. No other platform or use is affected.”
According to the article the following other langs are affected:
- Erlang (documentation update)
- Go (documentation update)
- Haskell (patch available)
- Java (won’t fix)
- Node.js (patch will be available)
- PHP (patch will be available)
- Python (documentation update)
- Ruby (documentation update)
Seems like most languages don’t even treat this as a real security vulnerability?