All news with #rust tag

Android Quick Share Interoperability with AirDrop Security

🔒 Google announced cross-platform file sharing between Android and iOS by making Quick Share interoperable with AirDrop, beginning with the Pixel 10 Family. The company emphasizes a "secure by design" approach that included threat modeling, internal security and privacy reviews, and in-house penetration testing. The interoperability layer is implemented in Rust to reduce memory-safety risks in parsing wireless data, and transfers are direct peer‑to‑peer without routing content through servers. Google also engaged third‑party testers and experts who validated the implementation and found no information leakage.

Android Memory Bugs Drop as Google Expands Rust Use

🛡️ Google reports that adopting Rust across Android has reduced memory-safety vulnerabilities to under 20% for the first time and claims a 1000x lower vulnerability density versus legacy C and C++ code. The company says Rust changes have a 4x lower rollback rate, require about 20% fewer revisions, and cut code review time by roughly 25%, improving overall delivery speed. Google plans to extend Rust to kernel, firmware and critical first-party apps while maintaining layered defenses.

AWS Lambda Announces General Availability of Rust Support

🚀 AWS has declared Rust support in AWS Lambda Generally Available, promoting the runtime out of its prior experimental status and making it suitable for production workloads. The GA release is backed by AWS Support and the Lambda SLA and is available in all AWS Regions, including GovCloud (US) and China. Rust on Lambda delivers high performance, memory efficiency, and compile-time safety for serverless functions. Developers can now build business-critical serverless applications in Rust while leveraging Lambda's event integrations, fast scaling from zero, automatic patching, and usage-based pricing.

Rust in Android: Faster Development and Fewer Bugs

🦀 Rust adoption in Android is delivering both security and speed gains, with 2025 data showing memory-safety flaws falling below 20% of total vulnerabilities. Android reports a ~1000x reduction in memory-safety vulnerability density for Rust versus C/C++, plus 20% fewer revisions, 25% shorter code review time, and a ~4x lower rollback rate. Expansion includes kernel, firmware, and first-party apps; a near-miss CVE was fixed pre-release and led to improved allocator crash reporting and additional unsafe-Rust training.

Critical TAR parsing bug found in popular Rust libraries

🛡️ Researchers at Edera disclosed a critical boundary-parsing flaw called TARmageddon (CVE-2025-62518) in the async-tar family and many forks, including the widely used tokio-tar. The desynchronization bug can smuggle extra archive entries during nested TAR extraction, enabling file overwrites that may lead to Remote Code Execution or supply-chain compromise. Administrators should patch affected forks, consider migrating to the patched astral-tokio-tar ≥0.5.6, and scan Rust-built applications for exposure.

TARmageddon: Abandoned Rust tar library enables RCE

🚨 A high-severity logic flaw in the abandoned async-tar Rust library and its forks allows unauthenticated attackers to inject archive entries and achieve remote code execution when nested TARs with mismatched ustar and PAX headers are processed. Edera, which named the issue TARmageddon and tracked it as CVE-2025-62518, explains the parser can jump into file content and mistake it for headers, enabling extraction of attacker-supplied files. The bug also affects the widely used but abandoned tokio-tar fork (7M+ downloads), while several active forks have already been patched. Developers are advised to upgrade to patched forks such as astral-tokio-tar or remove the vulnerable dependency immediately.

TARmageddon: High-Severity Flaw in async-tar Rust ecosystem

⚠️Researchers disclosed a high-severity vulnerability (CVE-2025-62518, CVSS 8.1) in the async-tar Rust library and forks such as tokio-tar that can enable remote code execution via file-overwrite attacks when processing nested TAR archives. Edera, which found the issue in late August 2025, attributes the problem to inconsistent PAX/ustar header handling that allows attackers to 'smuggle' additional entries by exploiting size overrides. Because tokio-tar appears unmaintained, users are advised to migrate to astral-tokio-tar v0.5.6, which patches the boundary-parsing vulnerability affecting projects like testcontainers and wasmCloud.

Rust-Based ChaosBot Backdoor Uses Discord for C2 Operations

🔒 eSentire disclosed a Rust-based backdoor named ChaosBot that leverages Discord channels for command-and-control, allowing operators to perform reconnaissance and execute arbitrary commands on compromised systems. The intrusion, first observed in late September 2025 at a financial services customer, began after attackers used compromised Cisco VPN credentials and an over-privileged Active Directory service account via WMI. Distribution included phishing LNK files that launch PowerShell and display a decoy PDF, while the payload sideloads a malicious DLL through Microsoft Edge to deploy an FRP reverse proxy. ChaosBot supports commands to run shells, capture screenshots, and transfer files, and newer variants employ ETW patching and VM detection to evade analysis.

Cloudflare FL2: Rust Rewrite Cuts Latency and Boosts CDN

🚀 Cloudflare announced FL2, a complete reimplementation of its FL request-processing layer using Rust and the Oxy framework. FL2 adopts strict modular phases, eliminates cross-language overhead, and supports graceful restarts with systemd socket activation and the Rust-based shellflip coordinator. Internal and third-party tests show FL2 reduces median response times by ~10 ms and delivers a ~25% performance improvement; staged rollouts, automated testing, and fallbacks to FL1 enabled safe incremental migration.

Malicious Rust crates on Crates.io exfiltrate crypto keys

🔒Two malicious Rust crates published to Crates.io scanned developer systems at runtime to harvest cryptocurrency private keys and other secrets. The packages, faster_log and async_println, mimicked a legitimate logging crate to avoid detection and contained a hidden payload that searched files and environment variables for Ethereum-style hex keys, Solana-style Base58 strings, and bracketed byte arrays. Discovered by Socket, both crates were removed and the publisher accounts suspended; affected developers are advised to clean systems and move assets to new wallets.

Malicious Rust crates stole Solana and Ethereum keys

🛡️ Security researchers discovered two malicious Rust crates impersonating the legitimate fast_log library that covertly scanned source files for Solana and Ethereum private keys and exfiltrated matches to a hardcoded command-and-control endpoint. Published on May 25, 2025 under the aliases rustguruman and dumbnbased, the packages — faster_log and async_println — accumulated 8,424 downloads before crates.io maintainers removed them following responsible disclosure. Socket and crates.io preserved logs and artifacts for analysis, and maintainers noted the payload executed at runtime when projects were run or tested rather than at build time.

How AWS Built a Flywheel to Improve Amazon RDS Security

🔒 As AWS implemented support for PL/Rust on Amazon RDS, engineers created a telemetry-driven 'flywheel' built around SELinux, monitoring, and incident response to safely enable compiled Rust functions. They developed mandatory access control policies, routed denials into telemetry with automated ticketing, and ran quarterly red/blue game days to refine playbooks and reduce noise. An October SELinux denial triggered an investigation that validated the controls and led to collaboration with Varonis Threat Labs.

Google Cloud Releases Official Rust SDK for Developers

🚀 Google Cloud has released an official Rust SDK that provides idiomatic, supported access to more than 140 Google Cloud APIs. The SDK includes built-in authentication (ADC, OAuth2, API Keys, service accounts, and upcoming Workload Identity Federation), documentation, and code samples to streamline development. It targets high-performance backends, secure data processing, and real-time analytics, and the project is available on crates.io and GitHub for feedback and contributions.